bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/local/39311.txt
Offensive Security ed0e1e4d44 DB: 2018-09-25 
1979 changes to exploits/shellcodes

Couchdb 1.5.0 - 'uuids' Denial of Service
Apache CouchDB 1.5.0 - 'uuids' Denial of Service

Beyond Remote 2.2.5.3 - Denial of Service (PoC)
udisks2 2.8.0 - Denial of Service (PoC)
Termite 3.4 - Denial of Service (PoC)
SoftX FTP Client 3.3 - Denial of Service (PoC)

Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection
SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection

Silverstripe CMS 3.0.2 - Multiple Vulnerabilities
SilverStripe CMS 3.0.2 - Multiple Vulnerabilities

Silverstripe CMS 2.4 - File Renaming Security Bypass
SilverStripe CMS 2.4 - File Renaming Security Bypass

Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities
SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities

Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection
SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection

Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload
SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload

Silverstripe CMS 2.4.x - 'BackURL' Open Redirection
SilverStripe CMS 2.4.x - 'BackURL' Open Redirection

Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure
SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure

Silverstripe CMS - Multiple HTML Injection Vulnerabilities
SilverStripe CMS - Multiple HTML Injection Vulnerabilities

Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation
Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation

Monstra CMS before 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (2)

Monstra CMS < 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (1)
Navigate CMS 2.8 - Cross-Site Scripting
Collectric CMU 1.0 - 'lang' SQL injection
Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection
LG SuperSign EZ CMS 2.5 - Remote Code Execution
MyBB Visual Editor 1.8.18 - Cross-Site Scripting
Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection
Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection
RICOH Aficio MP 301 Printer - Cross-Site Scripting
Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection
RICOH MP C6003 Printer - Cross-Site Scripting

Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)
Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
2018-09-25 05:01:51 +00:00

44 lines
No EOL
3 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Source: https://code.google.com/p/google-security-research/issues/detail?id=573
Windows: Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux
Platform: Windows 10, not tested any other OS
Class: Security Feature Bypass
Summary:
The fix for CVE-2015-2553 can be bypassed to get limited mount reparse points working again for sandbox attacks.
Description:
Not sure if this is the only way but you can bypass the fix (which limited ProcessDeviceMap in a sandbox) by instead abusing shadow object directories. NtCreateObjectDirectoryEx takes an additional parameter of a handle to a shadow directory which works similar to the ?? -> GLOBAL?? fallback. If you can create a named object directory (so normal low IL or EPM sandboxes) you can create a dummy directory which shadows GLOBAL??. You can then construct the dos device path using something similar to my last poc by overriding the lookup for C: or GLOBALROOT by dropping an object directory or symlink. If you set the reparse point it will be redirected to an arbitrary location which you control. You can now release the inner object directory or symlink which means the shadow directory version of the name will be found meaning the higher privileged application will pick up the real target.
For example while setting reparse point you can get:
\BaseNamedObjects\Dummy\C:\windows -> \Device\NamedPipe\
if you now release the C: object directory you get:
\BaseNamedObjects\Dummy\C:\Windows -> \GLOBAL??\C:\Windows
This does have a few limitation from the previous attack:
1. You must be able to create a named object directory, but that's most places outside of a Chrome renderer.
2. The reparse point only works as long as the object directory exists, so probably the lifetime of the attacking process but that's probably okay for a typical privilege escalation.
Proof of Concept:
Ive provided a PoC which will demonstrate the bypass. It should be executed at low integrity using psexec or modifying the executable files ACL to low. You can compare the operation to the command shells mklink tool that will fail to create the mount point at low integrity. The archive password is password. Follow these steps:
1) Extract the PoC to a location on a local hard disk which is writable by a normal user.
2) Execute the poc executable file as low integrity passing two arguments, the path to a directory to create (must be somewhere than can be written to as low integrity user such as AppData\Temp\Low) and the arbitrary file path to set the mount point to. For example:
poc.exe c:\users\user\appdata\local\low\abc c:\notreal
3) While the PoC is running you can now list the directory and get access to its contents.
Expected Result:
It shouldnt be possible to create a mount point pointed at a location not writable by low integrity user
Observed Result:
The mount point is created successfully.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39311.zip
Reference in a new issue View git blame Copy permalink